Here's a quick solution:<div><br></div><div>Just have your app load the client certificate on startup, extract the common name, and add a header to your messages. It should be trivial to do this in most programming languages.</div>
<div><br></div><div>The server is already validating that the certificate is valid at the connection level, so there's no need for further verification.<br><div><br></div><div>Mark Steele<br>Director of development<br>
Bering Media Inc.<br><br>
<br><br><div class="gmail_quote">On Mon, Jun 28, 2010 at 2:47 PM, Nathaniel Haggard <span dir="ltr"><<a href="mailto:natester@gmail.com">natester@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
On Mon, Jun 28, 2010 at 9:56 AM, Matthias Radestock<br>
<<a href="mailto:matthias@rabbitmq.com">matthias@rabbitmq.com</a>> wrote:<br>
> Lionel,<br>
><br>
> Lionel Cons wrote:<br>
>><br>
>> Matthew Sackman <<a href="mailto:matthew@rabbitmq.com">matthew@rabbitmq.com</a>> writes:<br>
>>><br>
>>> On Thu, Jun 24, 2010 at 03:13:20PM -0600, Nathaniel Haggard wrote:<br>
>>>><br>
>>>> It would be nice if rabbitmq set a header in messages with some<br>
>>>> metadata from the x509 certificate used to establish the ssl<br>
>>>> connection.<br>
>>><br>
>>> Err, why?<br>
>><br>
>> FWIW, we currently rely on this functionality: we use X.509 for<br>
>> authetication and we need to track down who sent a given message<br>
>> (think JMSXUserID as per <a href="http://activemq.apache.org/jmsxuserid.html" target="_blank">http://activemq.apache.org/jmsxuserid.html</a>).<br>
><br>
> Couldn't you simply get the sender to sign the message and the recipient to<br>
> verify the signature? That requires the recipients to know the public keys<br>
> of the senders, but I suspect in most systems where recipients care about<br>
> the sender identity that would not be hard to arrange.<br>
><br>
> Matthias.<br>
<br>
For my use case I could do that, but RabbitMQ is already verifying<br>
client certificates. RabbitMQ is already verifying client<br>
certificates. See<br>
<br>
[<br>
{rabbit, [<br>
{ssl_listeners, [{"0.0.0.0",5671}]},<br>
{ssl_options, [{cacertfile,"/opt/rabbitmq/keys/ca.crt"},<br>
{certfile,"/opt/rabbitmq/keys/x.x.x.x.crt"},<br>
{keyfile,"/opt/rabbitmq/keys/x.x.x.x.key"},<br>
{verify,verify_peer},<br>
{fail_if_no_peer_cert,true}]}<br>
]}<br>
].<br>
<br>
We plan to have thousands of clients connecting to RabbitMQ each with<br>
a different certificate and the same username. Someone on this list<br>
didn't recommend managing that many users.<br>
<br>
Ideally Rabbit would pass along CNAME from a producer and the consumer<br>
would verify CNAME is good.<br>
<br>
(Sorry if you got this twice Matthias)<br>
_______________________________________________<br>
rabbitmq-discuss mailing list<br>
<a href="mailto:rabbitmq-discuss@lists.rabbitmq.com">rabbitmq-discuss@lists.rabbitmq.com</a><br>
<a href="https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss" target="_blank">https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss</a><br>
</blockquote></div><br></div></div>