Care to expand how how one would do this? I've encountered similar issues.<div><br></div><div>Basically, what I'm looking for is that if the client cert isn't signed by a CA in the CA file that I'm pointing rabbit to, it should fail (which is what the default behavior should be). This was also kind of implied in the rabbit doc, even though it doesn't seem to work as advertised.</div>
<div><br></div><div>See the "Trust the Client's Root CA" section of the Rabbit SSL howto documentation. </div><div><br></div><div>Also, if you do know how to do this, explain it as if you were dealing with an Erlang novice :)</div>
<div><br></div><div>Cheers,<br><div style="font-family: Verdana, sans-serif; font-size: 12px; color: rgb(102, 102, 102); line-height: 17px; "><br></div>Mark Steele<br>Director of development<br>Bering Media Inc.<br><br>
<br><br><div class="gmail_quote">On Wed, Aug 11, 2010 at 5:38 AM, Emile Joubert <span dir="ltr"><<a href="mailto:emile@rabbitmq.com">emile@rabbitmq.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
Hi Jiri,<br>
<br>
On 11/08/10 07:41, <a href="mailto:jiri@krutil.com">jiri@krutil.com</a> wrote:<br>
<br>
[...]<br>
<div class="im"><br>
>> The RabbitMQ server is configured to require a client certificate and<br>
>> verify the chain of trust (see rabbitmq.config below). I'm using my<br>
>> own CA that has a self-signed certificate. This is the only trusted<br>
>> root CA certificate I'm using.<br>
>><br>
>> RabbitMQ correctly accepts client certificates signed by my CA. But it<br>
>> also accepts self-signed client certificates, which I think is<br>
>> incorrect. I believe a self-signed client certificate should be<br>
>> rejected because there is no chain of trust to the root CA certificate.<br>
<br>
</div>By default an unknown CA will not cause the connection to fail. The<br>
default verify_fun ignores {bad_cert, unknown_ca} errors. You should<br>
provide your own verify_fun that does not ignore {bad_cert, unknown_ca}.<br>
<br>
Regards<br>
<font color="#888888"><br>
Emile<br>
</font><div><div></div><div class="h5">_______________________________________________<br>
rabbitmq-discuss mailing list<br>
<a href="mailto:rabbitmq-discuss@lists.rabbitmq.com">rabbitmq-discuss@lists.rabbitmq.com</a><br>
<a href="https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss" target="_blank">https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss</a><br>
</div></div></blockquote></div><br></div>