<div dir="ltr">On Wed, Aug 28, 2013 at 5:36 AM, Emile Joubert <span dir="ltr"><<a href="mailto:emile@rabbitmq.com" target="_blank">emile@rabbitmq.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 27/08/13 23:45, David van Geest wrote:<br>
> On Tue, Aug 27, 2013 at 6:20 PM, David van Geest <<a href="mailto:davidv@spindance.com">davidv@spindance.com</a><br>
</div><div><div class="h5">> <mailto:<a href="mailto:davidv@spindance.com">davidv@spindance.com</a>>> wrote:<br>
><br>
><br>
> If a client connects to RabbitMQ using TLS, and client certificates<br>
> are required by RabbitMQ, will RabbitMQ or Erlang/OTP attempt to<br>
> match the CN on the client certificate with the client's hostname?<br>
> Does it attempt to match the client certificate CN with anything at all?<br>
><br>
><br>
> Reading a bit more, it seems like the CN only matters if you are<br>
> using rabbitmq-auth-mechanism-ssl which will attempt to match the<br>
> certificate CN vs the user database in question. If you are using some<br>
> other SASL mechanism (say, PLAIN), the CN does not matter. Correct?<br>
<br>
</div></div>Yes. It is also possible to provide your own verification function that<br>
accepts a certificate. This Erlang function accepts a certificate as one<br>
of its arguments. See the verify_fun configuration option in<br>
<a href="http://www.erlang.org/doc/man/ssl.html" target="_blank">http://www.erlang.org/doc/man/ssl.html</a><br><span class="HOEnZb"><font color="#888888"><br></font></span></blockquote><div> </div></div>
</div><div class="gmail_extra">Excellent, thanks. Those docs are helpful as well.</div></div>