[rabbitmq-discuss] Supporting both SSL+Password as well as SSL+Certificate based authentication

vish.ramachandran vish.ramachandran at gmail.com
Wed Apr 16 22:38:55 BST 2014


We have a use case where we want to support both
1. "External" passwordless certificate based authentication based on
rabbitmq-auth-mechanism-ssl plugin
2. "Plain" password based authentication with SSL turned on without client
needing to present a certificate. This is precisely what is described at
https://www.rabbitmq.com/ssl.html#enabling-ssl example.

Below is the configuration in question.

[
  {rabbit, [
     {ssl_listeners, [5671]},
     {ssl_options, [{cacertfile,"/opt/ssl4/cacert.pem"},
                    {certfile,"/opt/ssl4/cert.pem"},
                    {keyfile,"/opt/ssl4/key.pem"},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,true}]},
     {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']},
     {ssl_cert_login_from, common_name}
  ]}
].


With above configuration, use case #1 is possible, however use case #2 fails
when client does not present a certificate since fail_if_no_peer_certificate
is set to true.

If I change fail_if_no_peer_certificate to false, use case #2 works, use
case #1 fails with an "unsafe configuration error".

Can we configure RMQ to support both by
1. verifying the certificate if one is presented along with request to do
external authentication
2. expect username/password if certificate is not presented and plain
authentication is chosen
3. Fail if external authentication is chosen and no certificate is presented

It does not seem right to mandate that password based clients also present
valid certificate. If they could, then there is no need for password based
authentication.











--
View this message in context: http://rabbitmq.1065348.n5.nabble.com/Supporting-both-SSL-Password-as-well-as-SSL-Certificate-based-authentication-tp34914.html
Sent from the RabbitMQ mailing list archive at Nabble.com.


More information about the rabbitmq-discuss mailing list