[rabbitmq-discuss] RabbitMQ .Net Client connecting without a passphrase
Matthias Radestock
matthias at rabbitmq.com
Wed Apr 2 09:05:06 BST 2014
On 01/04/14 13:31, Vinay Nayak wrote:
> We have managed to get an authenticate-authorise with server-client
> certificates set-up on our RabbitMQ server.
> However the fact that in the client code we pass a certificate with a
> key (i.e. p12 file) and a passphrase to connect to the server makes us a
> little uncomfortable.
>
> The fact that we are passing a Passphrase implies that RabbitMQ uses the
> passphrase to decrypt the p12 file, retrieve the key, use the key to get
> the CA details from the certificate and then check if the CA is trusted
> or not; instead of RabbitMQ contacting the CA server to verify the
> certificate presented by the client.
> The above can be absolute bollocks, if it is can someone please explain
> what goes under the hood.
I am afraid the above is indeed absolute bollocks :)
The client needs the key for its own certificate, just like the server
needs the key for its own certificate. That's how PKI works - each party
needs to know their own key (only). The key is not passed to the other
party.
Also, there is no such thing as a "CA server"; cert validation is a
local operation.
Regards,
Matthias.
More information about the rabbitmq-discuss
mailing list