[rabbitmq-discuss] rabbitmq_auth_mechanism_ssl limitations

Gordon Sim gsim at redhat.com
Wed Jul 13 09:53:55 BST 2011


On 07/12/2011 04:42 PM, Simon MacMullen wrote:
> This is something Matthias and I have been arguing about for ages. I
> suspect that even though just RFC 4514-serialising the DN and doing
> string matching is completely wrong in theory, in practice it would be
> what a decent number of users would want. Matthias thinks that it will
> lead into a tarpit of bugs around DN equivalence. And I have to admit
> that he has much more real world experience dealing with stupid SSL /
> x509 behaviour than I do!

The RFC 4514 strings are also a little unwieldy. E.g. if you need to use 
the name in ACLs or if application logic checks the publisher of a 
message or whatever.

I'm certainly no expert but fwiw what I did was to concatenate any DC 
elements separated by a '.' to form a domain qualifier and appended that 
to the CN.

e.g. CN=bob,DC=example,DC=com => bob at example.com

It's not canonical, and I'm sure it wouldn't work for every case 
(doesn't handle the multiple CN case for example). However it is simple, 
allows for non-unique CN provided the domain components are included 
(which seems to be a very common pattern in practice) and results in a 
qualified username of the form we use for other authentication mechanisms.



More information about the rabbitmq-discuss mailing list