[rabbitmq-discuss] AMQP authentication with RabbitMQ
matthias at lshift.net
Mon Jul 20 21:14:20 BST 2009
Darien Kindlund wrote:
> Couple of basic questions:
> 1) So, for reference, would we call this AMQPS, AMQP-SSL, or SAMPQ ?
Does it have to have a name?
> 2) Are you planning on supporting CRLs and/or OCSP for certificate revocation?
> 3) Can we specify the cipher strength?
We support whatever the Erlang SSL implementation supports. See
http://www.erlang.org/doc/man/new_ssl.html for details. That's a moving
target, and ATM the answers to the above are 'no' and 'yes'.
> 4) Okay once SSL is supported natively, do you think a future version
> of RabbitMQ would be able to map particular subjectDNs to existing
> username/password credentials? It would be really nice if clients
> could authenticate with only client certs and nothing else.
> I'm guessing #4 may actually break the existing AMQP spec, since we're
> talking about bypassing username/password authentication. If that's
> the case, I'm not sure if you typically wait for the spec to get
> ratified before implementing any experimental features, such as this.
AMQP has some built-in support for negotiating different security
mechanisms, so your latter concern isn't an issue. Making the necessary
changes at the server and client end would take some time, but it
shouldn't be a big job. Perhaps this is something you could have a stab
at yourself once the new SSL support has landed?
More information about the rabbitmq-discuss