[rabbitmq-discuss] AMQP authentication with RabbitMQ

eric eric at grokthis.net
Wed Jul 8 19:26:40 BST 2009

On Wed, 2009-07-08 at 13:04 -0400, Darien Kindlund wrote:
> Hi Laurens,
> I'm not an OpenSSL nor RabbitMQ expert, but I got the impression that
> stunnel (which uses OpenSSL) somehow populates certificate information
> after the connection is established via environment variables.  See
> this URL for more information about the types of environment variables
> available:

This isn't how stunnel works, it creates simple SSL server and client
wrappers/proxies.  Stunnel doesn't need to know anything about the
application-layer protocols it encapsulates, doesn't need environmental
variables, LD_PRELOAD, or any other funny magic.  For these reasons,
stunnel is a pretty good fit for Rabbit, where encryption is needed.

How it works is quite simple, really. It sends and receives clear-text
on one side (i.e. a local RabbitMQ), and encrypted communications on the
other (i.e. the internet).  This is what allows applications that work
purely with clear-text such as Rabbit, to communicate securely via

The server side is relatively simple to set up, because aside from the
extra process running, it requires no changes to the server daemon
process.  You can simply set up a proxy for the AMQP port and walk away.

The client side, however, will need either SSL support in the client's
AMQP library, or will need to connect to a local stunnel instance to
provide a reverse SSL proxy.  That is, your client application can speak
clear-text to the local stunnel, this stunnel will speak SSL to the
remote stunnel (which, in turn, speaks clear-text to RabbitMQ).  Its
very clear that SSL support in the client's AMQP library is preferable.

Eric Windisch

More information about the rabbitmq-discuss mailing list