[rabbitmq-discuss] Securing RabbitMQ

Alexandru Scvorţov alexandru at rabbitmq.com
Mon Feb 20 16:59:00 GMT 2012


True.

On Mon, Feb 20, 2012 at 10:15:34AM -0500, Bell, Paul M. wrote:
> Most helpful, Alex, thank you.
> 
> I did not realize that there was no requirement to authenticate the server. Yet I must assume that, even in this case, server must be fitted with a certificate in order to accomplish encrypted symmetric key exchange with client and subsequent payload encryption.
> 
> True?
> 
> Thank again.
> 
> -Paul
> 
> On Feb 20, 2012, at 10:07 AM, "Alexandru Scvorţov" <alexandru at rabbitmq.com> wrote:
> 
> > Hi Paul,
> > 
> >> a. there is no requirement for mutual authentication, i.e., my clients need not carry their own certificates (I consider this an awkward deployment burden). 
> > 
> > Correct.  Authentication on both sides is optional.  The broker can be
> > configured with {verify_peer, none} and {fail_if_no_peer_cert, false} so
> > that it accepts connection from anyone.  Clients can be configured with
> > security managers (or whatever Java/.NET/Erlang calls them) to accept
> > connections to any broker.
> > 
> > So, you can have an un-authenticated, encrypted connection.
> > 
> >> b. We should be able to distribute our corporate X.509 certificate (and private key, required by SSL) for use by Rabbit when clients authenticate it.
> > 
> > Yes, the broker needs access to the certificate and private key it was
> > configured with.
> > 
> >> c. I *must* also provide the root certificate (e.g., Verisign) for our corporate certificate?
> > 
> > Assuming you want clients to authenticate the broker, yes.
> > 
> > Cheers,
> > Alex
> > 
> > On Mon, Feb 20, 2012 at 09:31:51AM -0500, Bell, Paul M. wrote:
> >> Hello again,
> >> 
> >> By way of follow-up with Alexandru and the entire list, I've just been reading the piece at www.rabbitmq.com/ssl.html.
> >> 
> >> Do I rightly conclude that:
> >> 
> >> a. there is no requirement for mutual authentication, i.e., my clients need not carry their own certificates (I consider this an awkward deployment burden). 
> >> b. We should be able to distribute our corporate X.509 certificate (and private key, required by SSL) for use by Rabbit when clients authenticate it.
> >> c. I *must* also provide the root certificate (e.g., Verisign) for our corporate certificate?
> >> 
> >> ??
> >> 
> >> Please advise, thanks.
> >> 
> >> -Paul
> >> 
> >> -----Original Message-----
> >> From: rabbitmq-discuss-bounces at lists.rabbitmq.com [mailto:rabbitmq-discuss-bounces at lists.rabbitmq.com] On Behalf Of Alexandru Scvortov
> >> Sent: Monday, January 30, 2012 6:37 PM
> >> To: rabbitmq-discuss at lists.rabbitmq.com
> >> Subject: Re: [rabbitmq-discuss] Securing RabbitMQ
> >> 
> >> (posting again to the m/l)
> >> 
> >>> Quick q: does RabbitMQ allow presenting a hashed password?
> >> 
> >> No.  The authentication system is pluggable, though, so you could
> >> easily write your own mechanism (see the src/rabbit_auth_mechanism_*
> >> files in the broker source tree for examples).
> >> 
> >> Cheers,
> >> Alex
> >> 
> >> 
> >> On Mon, Jan 30, 2012 at 02:47:00PM -0500, Bell, Paul M. wrote:
> >>> Thank you both.
> >>> 
> >>> Quick q: does RabbitMQ allow presenting a hashed password?
> >>> 
> >>> For example, you can configure a filer to accept MD5 hashed passwords. The principal that wants to authenticate with the filer hashes its password via MD5 and places the hashed password on the wire to the filer.
> >>> 
> >>> -paul
> >>> 
> >>> On Jan 30, 2012, at 5:13 AM, "Alexandru Scvorţov" <alexandru at rabbitmq.com> wrote:
> >>> 
> >>>>> I tested this plugin some months ago and I found it very useful, my only concern is that it didn't support the CRL feature. The problem was due to the OpensSSL library used by erlang which didn't implement the CRL check, but AFAIK there was a plan to release a new version of that module from erlang team.
> >>>>> Is there some news about that?
> >>>> 
> >>>> As of R15B (released a month ago), they still don't support CRLs.
> >>>> 
> >>>> Cheers,
> >>>> Alex
> >>>> 
> >>>> On Mon, Jan 30, 2012 at 09:43:40AM +0000, Rosa, Andrea wrote:
> >>>>> Hi
> >>>>> 
> >>>>>> You could just not use passwords.  If you use SSL connections, RabbitMQ
> >>>>>> can authenticate users by the certificate they provide.
> >>>>>> 
> >>>>>> See the auth-mechanism-ssl plugin for details:
> >>>>>> http://hg.rabbitmq.com/rabbitmq-auth-mechanism-ssl/file/default/README
> >>>>> 
> >>>>> I tested this plugin some months ago and I found it very useful, my only concern is that it didn't support the CRL feature. The problem was due to the OpensSSL library used by erlang which didn't implement the CRL check, but AFAIK there was a plan to release a new version of that module from erlang team.
> >>>>> Is there some news about that?
> >>>>> 
> >>>>> Cheers
> >>>>> --
> >>>>> Andrea Rosa
> >>>> _______________________________________________
> >>>> rabbitmq-discuss mailing list
> >>>> rabbitmq-discuss at lists.rabbitmq.com
> >>>> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
> >>> 
> >>> 
> >>> 
> >>> ATTENTION: -----
> >>> 
> >>> The information contained in this message (including any files transmitted with this message) may contain proprietary, trade secret or other  confidential and/or legally privileged information. Any pricing information contained in this message or in any files transmitted with this message is always confidential and cannot be shared with any third parties without prior written approval from Syncsort. This message is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any use, disclosure, copying or distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and/or Syncsort and destroy all copies of this message in your possession, custody or control.
> >> _______________________________________________
> >> rabbitmq-discuss mailing list
> >> rabbitmq-discuss at lists.rabbitmq.com
> >> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss


More information about the rabbitmq-discuss mailing list