[rabbitmq-discuss] x509 Authentication

Simon MacMullen simon at rabbitmq.com
Fri Jan 6 13:31:18 GMT 2012


I'm having trouble replicating this - can you give me an example of a DN 
that produced quotes in Rabbit but not with OpenSSL?

Cheers, Simon

On 05/01/12 14:44, Warren Smith wrote:
>
> The reason that I ended up removing quotes from DNs is because (if I
> remember correctly) for the same certificate, a DN from Erlang would
> sometimes have quotes but the DN from openssl would not. I was using
> a script that invoked "openssl x509 -in<cert.pem>  -subject" and then
> "rabbitmqctl add_user ...; rabbitmqctl set_permissions ..." to add
> users to rabbitmq. I couldn't quickly figure out a pattern when
> erlang added quotes (it wasn't as simple as the RDN having a space in
> it), so I just stripped them all out in the DN received by my
> modified rabbitmq_auth_mechanism_ssl.
>
> I agree that this type of DN cleanup isn't really required, but it
> made things easier for me and apparently for Lionel, also.
>
>
> Warren
>
>
> -----Original Message----- From:
> rabbitmq-discuss-bounces at lists.rabbitmq.com
> [mailto:rabbitmq-discuss-bounces at lists.rabbitmq.com] On Behalf Of
> Simon MacMullen Sent: Thursday, January 05, 2012 4:33 AM To:
> rabbitmq-discuss at lists.rabbitmq.com Subject: Re: [rabbitmq-discuss]
> x509 Authentication
>
> On 21/12/11 07:22, Lionel Cons wrote:
>> It would really be good to improve X.509 authentication in a
>> consistent way in RabbitMQ. Things I can think of: - use common
>> code between AMQP and STOMP
>
> Yes.
>
>> - use DN rather than CN, maybe via a configurable option
>
> Yes.
>
>> - standard DN cleanup (such as your quotes removal)
>
> Umm, really? The question of how to canonically construct a string
> representation of a DN is annoyingly fiddly, but I really don't
> believe removing quotes is likely to be a part of it.
>
> We'd probably have to aim for "whatever OpenSSL does" and "whatever
> Active Directory does" as goals for how to do it. Let us pray to the
> god of ASN.1 (some sort of Eldritch abomination I'm sure) that both
> of those are the same thing...
>
> Cheers, Simon
>
> -- Simon MacMullen RabbitMQ, VMware
> _______________________________________________ rabbitmq-discuss
> mailing list rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
> _______________________________________________ rabbitmq-discuss
> mailing list rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss


-- 
Simon MacMullen
RabbitMQ, VMware


More information about the rabbitmq-discuss mailing list