[rabbitmq-discuss] rabbitmq_auth_mechanism_ssl limitations

Massimo Paladin Massimo.Paladin at cern.ch
Wed Jul 13 09:31:46 BST 2011


We are dealing with 10s of CAs and thousands of certificates.

We have been using serialized DNs for years in ActiveMQ and we didn't have
problems.
Usually we get the DN and we just add it to the configuration. The update of
DN usually is not
an operation which cause us troubles.

Regards,
---
Massimo Paladin

email: massimo.paladin at gmail.com
website: http://www.mpaladin.com
flickr's page: http://flickr.com/photos/massimop



On Tue, Jul 12, 2011 at 5:42 PM, Simon MacMullen <simon at rabbitmq.com> wrote:
> On 12/07/11 16:33, Massimo Paladin wrote:
>>
>> Will this take part of the next release?
>
> I doubt it, nothing has been done.
>
> This is something Matthias and I have been arguing about for ages. I
suspect
> that even though just RFC 4514-serialising the DN and doing string
matching
> is completely wrong in theory, in practice it would be what a decent
number
> of users would want. Matthias thinks that it will lead into a tarpit of
bugs
> around DN equivalence. And I have to admit that he has much more real
world
> experience dealing with stupid SSL / x509 behaviour than I do!
>
> But neither of us really know. Hearing from people like you who want this
> would be helpful:
>
> * If you have many CAs, is that just a bunch of internal sysadmins running
> Openssl or real-world CAs?
>
> * If you had to update usernames when a user had a new certificate and the
> DN format changed for some daft reason, how big a deal would that be?
>
> etc etc...
>
> Cheers, Simon
>
> --
> Simon MacMullen
> RabbitMQ, VMware
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20110713/6c68c671/attachment.htm>


More information about the rabbitmq-discuss mailing list