[rabbitmq-discuss] rabbitmq_auth_mechanism_ssl limitations

Matthias Radestock matthias at rabbitmq.com
Thu Jul 7 18:26:14 BST 2011


Massimo,

On 07/07/11 17:17, Massimo Paladin wrote:
> Matthias, would you say there is no way to get this right?

I don't know. It's a tricky problem.

> In any case I think this implementation is not very useful since it
> takes one CN (which one if multiple?) as username and limit to only
> one CA signed certificates.

The current implementation does not permit multi-valued CNs. I don't 
remember whether the x509 RFCs permit them.

We could just forget about ASN.1/x509's obscure notions of equivalence 
and convert the DNs to strings according to RFC 4514. That will be ok as 
long as users always present exactly the same certificate and whoever 
provisions the rabbit auth db can get hold of the certificates or the 
RFC 4514 presentations of their subject DNs.

In practice that would probably also work in many cases where users 
present multiple certs containing the same logical subject DN. But there 
is no guarantee of that since it is possible for, say, two CAs to issue 
certs for the same subject DN but construct the underlying ASN.1 
differently such that an RFC4514 conversion to string produces different 
results. Or even for the same CA to do that when a cert is renewed.


Regards,

Matthias.


More information about the rabbitmq-discuss mailing list