[rabbitmq-discuss] Patch: SSL client certificate authentication for the RabbitMQ STOMP plugin
Shane Hathaway
shane.hathaway at gmail.com
Thu Feb 16 20:09:34 GMT 2012
Hello,
I've been trying out RabbitMQ over the past month and I must say I'm
impressed, especially with the management and STOMP plugins. Well done!
I decided that using SSL client certificates is important for the kind of
deployment I'm working on, so I created a patch (attached to this email)
that enables the STOMP plugin to authenticate clients using the CN field of
SSL client certificates, similar to the rabbitmq_auth_mechanism_ssl plugin.
The patch is based on the 2.7.1 release tag. I have tested it by hand and
it seems to do the trick. I hope it can be integrated into the next release
of RabbitMQ; please let me know if there are problems I ought to fix.
To use the new feature, add ssl_cert_login to the default_user options of
the rabbitmq_stomp options in rabbitmq.config, then configure the STOMP
client to omit the login and passcode headers from the CONNECT frame. Here
is a sample rabbitmq.config:
[
{rabbit, [
{ssl_options, [
{cacertfile, "mq/ca/ca.crt"},
{certfile, "mq/server/rabbitmq-dev.crt"},
{keyfile, "mq/server/rabbitmq-dev.key"},
{verify, verify_peer},
{fail_if_no_peer_cert, true}
]}
]},
{rabbitmq_stomp, [
{tcp_listeners, [61613]},
{ssl_listeners, [61614]},
{default_user, [ssl_cert_login]}
]}
].
Shane
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20120216/5b1a4f80/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rabbit_stomp_ssl_cert_login.patch
Type: text/x-diff
Size: 11095 bytes
Desc: not available
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20120216/5b1a4f80/attachment.patch>
More information about the rabbitmq-discuss
mailing list