[rabbitmq-discuss] does RabbitMQ or Erlang/OTP attempt to match the CN of a client TLS cert?
Emile Joubert
emile at rabbitmq.com
Wed Aug 28 10:36:01 BST 2013
On 27/08/13 23:45, David van Geest wrote:
> On Tue, Aug 27, 2013 at 6:20 PM, David van Geest <davidv at spindance.com
> <mailto:davidv at spindance.com>> wrote:
>
>
> If a client connects to RabbitMQ using TLS, and client certificates
> are required by RabbitMQ, will RabbitMQ or Erlang/OTP attempt to
> match the CN on the client certificate with the client's hostname?
> Does it attempt to match the client certificate CN with anything at all?
>
>
> Reading a bit more, it seems like the CN only matters if you are
> using rabbitmq-auth-mechanism-ssl which will attempt to match the
> certificate CN vs the user database in question. If you are using some
> other SASL mechanism (say, PLAIN), the CN does not matter. Correct?
Yes. It is also possible to provide your own verification function that
accepts a certificate. This Erlang function accepts a certificate as one
of its arguments. See the verify_fun configuration option in
http://www.erlang.org/doc/man/ssl.html
-Emile
More information about the rabbitmq-discuss
mailing list