[rabbitmq-discuss] does RabbitMQ or Erlang/OTP attempt to match the CN of a client TLS cert?

David van Geest davidv at spindance.com
Wed Aug 28 17:42:05 BST 2013


On Wed, Aug 28, 2013 at 5:36 AM, Emile Joubert <emile at rabbitmq.com> wrote:

> On 27/08/13 23:45, David van Geest wrote:
> > On Tue, Aug 27, 2013 at 6:20 PM, David van Geest <davidv at spindance.com
> > <mailto:davidv at spindance.com>> wrote:
> >
> >
> >     If a client connects to RabbitMQ using TLS, and client certificates
> >     are required by RabbitMQ, will RabbitMQ or Erlang/OTP attempt to
> >     match the CN on the client certificate with the client's hostname?
> >     Does it attempt to match the client certificate CN with anything at
> all?
> >
> >
> > Reading a bit more, it seems like the CN only matters if you are
> > using rabbitmq-auth-mechanism-ssl which will attempt to match the
> > certificate CN vs the user database in question. If you are using some
> > other SASL mechanism (say, PLAIN), the CN does not matter. Correct?
>
> Yes. It is also possible to provide your own verification function that
> accepts a certificate. This Erlang function accepts a certificate as one
> of its arguments. See the verify_fun configuration option in
> http://www.erlang.org/doc/man/ssl.html
>
>
Excellent, thanks. Those docs are helpful as well.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20130828/fc36c961/attachment.htm>


More information about the rabbitmq-discuss mailing list