[rabbitmq-discuss] Separate authorization mechanisms for SSL and non-SSL?
michi.oshima
moshima at advent.com
Wed Nov 28 05:42:05 GMT 2012
Hi Simon,
Simon MacMullen-2 wrote
> And if you do,
> you can make sure the users connecting via SSL do not have passwords
> set; then they won't be able to log in with PLAIN.
Yes, above works for me. Thank you!
I needed to google a bit to figure out how not to have password set for a
user. It turns out there is an option in rabbitmqctl to do just that:
rabbitmqctl clear_password {username}
I'm posting above, because I made the mistake of setting the password to an
empty string (''), which doesn't have the desired effect.
Simon MacMullen-2 wrote
> And if an SSL client selects PLAIN, do you really mind?
I'm thinking I do. If an "attacker" can select PLAIN, then the attacker
would only have to guess the correct password to gain access to the server,
which is easier than faking a certificate. (Or so I heard... Does it just
depend on the length of the password?)
--
View this message in context: http://rabbitmq.1065348.n5.nabble.com/Separate-authorization-mechanisms-for-SSL-and-non-SSL-tp23672p23693.html
Sent from the RabbitMQ mailing list archive at Nabble.com.
More information about the rabbitmq-discuss
mailing list