[rabbitmq-discuss] Separate authorization mechanisms for SSL and non-SSL?

Simon MacMullen simon at rabbitmq.com
Wed Nov 28 10:29:16 GMT 2012


On 28/11/12 05:42, michi.oshima wrote:
> Simon MacMullen-2 wrote
>> And if an SSL client selects PLAIN, do you really mind?
>
> I'm thinking I do.  If an "attacker" can select PLAIN, then the attacker
> would only have to guess the correct password to gain access to the server,
> which is easier than faking a certificate.  (Or so I heard...   Does it just
> depend on the length of the password?)

Hmm, I suppose so. Although we do rate-limit failed connection attempts 
to try to prevent this.

Cheers, Simon

-- 
Simon MacMullen
RabbitMQ, VMware


More information about the rabbitmq-discuss mailing list