[rabbitmq-discuss] Patch: SSL client certificate authentication for the RabbitMQ STOMP plugin

Shane Hathaway shane.hathaway at gmail.com
Thu Feb 16 20:09:34 GMT 2012


I've been trying out RabbitMQ over the past month and I must say I'm 
impressed, especially with the management and STOMP plugins. Well done!

I decided that using SSL client certificates is important for the kind of 
deployment I'm working on, so I created a patch (attached to this email) 
that enables the STOMP plugin to authenticate clients using the CN field of 
SSL client certificates, similar to the rabbitmq_auth_mechanism_ssl plugin. 
The patch is based on the 2.7.1 release tag. I have tested it by hand and 
it seems to do the trick. I hope it can be integrated into the next release 
of RabbitMQ; please let me know if there are problems I ought to fix.

To use the new feature, add ssl_cert_login to the default_user options of 
the rabbitmq_stomp options in rabbitmq.config, then configure the STOMP 
client to omit the login and passcode headers from the CONNECT frame. Here 
is a sample rabbitmq.config:

    {rabbit, [
        {ssl_options, [
            {cacertfile, "mq/ca/ca.crt"},
            {certfile, "mq/server/rabbitmq-dev.crt"},
            {keyfile, "mq/server/rabbitmq-dev.key"},
            {verify, verify_peer},
            {fail_if_no_peer_cert, true}
    {rabbitmq_stomp, [
        {tcp_listeners, [61613]},
        {ssl_listeners, [61614]},
        {default_user, [ssl_cert_login]}


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20120216/5b1a4f80/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rabbit_stomp_ssl_cert_login.patch
Type: text/x-diff
Size: 11095 bytes
Desc: not available
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20120216/5b1a4f80/attachment.patch>

More information about the rabbitmq-discuss mailing list