It's great that you've sent a solution, but it's not very pretty. As it is, I would consider SSL functionality broken and would put a big warning on the SSL howto page.<div><br></div><div>I'll probably make a custom ebuild for gentoo with a patch, however most folks are using binary packages and will probably have issue with this solution.</div>
<div><br></div><div>Care to post a unified diff?</div><div><br></div><div>Thanks,</div><div><br clear="all">Mark Steele<br>Director of development<br>Bering Media Inc.<br><br>
<br><br><div class="gmail_quote">On Wed, Aug 11, 2010 at 11:15 AM, Emile Joubert <span dir="ltr"><<a href="mailto:emile@rabbitmq.com">emile@rabbitmq.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On 11/08/10 14:59, Mark Steele wrote:<br>
> Care to expand how how one would do this? I've encountered similar issues.<br>
><br>
> Basically, what I'm looking for is that if the client cert isn't signed<br>
> by a CA in the CA file that I'm pointing rabbit to, it should fail<br>
> (which is what the default behavior should be). This was also kind of<br>
> implied in the rabbit doc, even though it doesn't seem to work as<br>
> advertised.<br>
<br>
</div>Hi Mark,<br>
<br>
I don't see any way of doing this using configuration options alone.<br>
Unless I'm overlooking a more obvious route, you will need to recompile<br>
the Erlang ssl module or the Rabbit networking module. I would suggest<br>
the latter.<br>
<br>
Adding the following tuple to SslOpts in rabbit_networking:boot_ssl/0<br>
works for me using erlang R13B03 and R14A:<br>
{verify_fun, fun(ErrorList) -> length(ErrorList) == 0 end}<br>
With this in place the server will reject a client presenting a<br>
certificate not signed by a recognised CA.<br>
<br>
I agree that this should be easier. Please let me know if you have<br>
suggestions.<br>
<br>
<br>
Regards<br>
<font color="#888888"><br>
Emile<br>
</font></blockquote></div><br></div>