[rabbitmq-discuss] X.509 client authentication

Warren Smith wsmith at tacc.utexas.edu
Thu Jan 6 14:36:29 GMT 2011


Hi all,

I'm investigating using RabbitMQ as part of a project and I've got a question about client authentication. Right now, the clients in this project (users, daemons, etc.) all have X.509 certificates.  It would be very useful if these identities could be used for authentication and authorization in RabbitMQ.

I found the SSL documentation for RabbitMQ and I've been working on configuring a RabbitMQ service to support SSL. However, it appears that even if the client program presents a certificate for authentication, this identity doesn't seem to be used by RabbitMQ. The client still needs to present a username/password - this is what I'd like to avoid.

Is it currently possible to use the DN in the client certificate as the identity of the client? I found a thread about this on the email list (http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/2009-July/004045.html) and the conclusion seemed to be that using the client DN was possible with some modifications to RabbitMQ and that someone was going to take a look at it. I don't see it referenced anywhere else, so maybe it didn't happen.

The approach of mapping the DN in a client certificate to a RabbitMQ username and then doing authorization based on that username seems like it would work fine for what I'm trying to do, btw.

Thanks,

Warren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20110106/d6532cf3/attachment.htm>


More information about the rabbitmq-discuss mailing list