[rabbitmq-discuss] rabbitmq_auth_mechanism_ssl limitations

Simon MacMullen simon at rabbitmq.com
Tue Jul 12 16:42:38 BST 2011


On 12/07/11 16:33, Massimo Paladin wrote:
> Will this take part of the next release?

I doubt it, nothing has been done.

This is something Matthias and I have been arguing about for ages. I 
suspect that even though just RFC 4514-serialising the DN and doing 
string matching is completely wrong in theory, in practice it would be 
what a decent number of users would want. Matthias thinks that it will 
lead into a tarpit of bugs around DN equivalence. And I have to admit 
that he has much more real world experience dealing with stupid SSL / 
x509 behaviour than I do!

But neither of us really know. Hearing from people like you who want 
this would be helpful:

* If you have many CAs, is that just a bunch of internal sysadmins 
running Openssl or real-world CAs?

* If you had to update usernames when a user had a new certificate and 
the DN format changed for some daft reason, how big a deal would that be?

etc etc...

Cheers, Simon

-- 
Simon MacMullen
RabbitMQ, VMware


More information about the rabbitmq-discuss mailing list