[rabbitmq-discuss] x509 Authentication

Warren Smith wsmith at tacc.utexas.edu
Tue Dec 20 22:35:14 GMT 2011


I haven't checked back with the developers, but what I ended up doing was hacking the rabbit_auth_mechanism_ssl plugin to do what I want (I should have created a new plugin, but...). I replaced the init() function in rabbit_auth_mechanism_ssl.erl with:

init(Sock) ->
    Username = case rabbit_net:peercert(Sock) of
		   {ok, C} ->
                       DNWithQuotes = lists:flatten(rabbit_ssl:peer_cert_subject(C)),
                       DN = list_to_binary([E || E <- DNWithQuotes, E =/= $"]),
                       rabbit_log:info("  subject: ~p~n", [DN]),
                       case config_sane() of
                           true  -> DN;
                           false -> {refused, "configuration unsafe", []}
                       end;
                   {error, no_peercert} ->
                       {refused, "no peer certificate", []};
                   nossl ->
                       {refused, "not SSL connection", []}
               end,
    #state{username = Username}.

And built the plugin (look at http://www.rabbitmq.com/plugin-development.html, in particular Getting Started).

I was having some issues with quotes in DNs and how erlang does them vs how openssl does them (I'm using openssl to get DN strings from X.509 certificates before calling rabbitmqctl set_permissions). So the code above just removes quotes from DNs when creating user names.

This was with rabbitmq 2.4.1, so I can't guarantee that the modification above works with the current version.


Warren


-----Original Message-----
From: rabbitmq-discuss-bounces at lists.rabbitmq.com [mailto:rabbitmq-discuss-bounces at lists.rabbitmq.com] On Behalf Of John Ruiz
Sent: Tuesday, December 20, 2011 4:07 PM
To: rabbitmq-discuss at lists.rabbitmq.com
Subject: [rabbitmq-discuss] x509 Authentication

Have there been any changes since this thread?

https://groups.google.com/group/rabbitmq-discuss/browse_thread/thread/3d4c11d3b9a58d3c/5a93c4460ec3e351?lnk=gst&q=+ssl+authentication#5a93c4460ec3e351

Like the original author, I would like to be able to use the DN of the
certificate's subject as the identity of the user connecting to
rabbitmq.
_______________________________________________
rabbitmq-discuss mailing list
rabbitmq-discuss at lists.rabbitmq.com
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss


More information about the rabbitmq-discuss mailing list