[rabbitmq-discuss] does RabbitMQ or Erlang/OTP attempt to match the CN of a client TLS cert?

Emile Joubert emile at rabbitmq.com
Wed Aug 28 10:36:01 BST 2013

On 27/08/13 23:45, David van Geest wrote:
> On Tue, Aug 27, 2013 at 6:20 PM, David van Geest <davidv at spindance.com
> <mailto:davidv at spindance.com>> wrote:
>     If a client connects to RabbitMQ using TLS, and client certificates
>     are required by RabbitMQ, will RabbitMQ or Erlang/OTP attempt to
>     match the CN on the client certificate with the client's hostname?
>     Does it attempt to match the client certificate CN with anything at all?
> Reading a bit more, it seems like the CN only matters if you are
> using rabbitmq-auth-mechanism-ssl which will attempt to match the
> certificate CN vs the user database in question. If you are using some
> other SASL mechanism (say, PLAIN), the CN does not matter. Correct?

Yes. It is also possible to provide your own verification function that
accepts a certificate. This Erlang function accepts a certificate as one
of its arguments. See the verify_fun configuration option in


More information about the rabbitmq-discuss mailing list