[rabbitmq-discuss] Broker accepts self-signed client certificate in verify_peer mode

• Previous message: [rabbitmq-discuss] Broker accepts self-signed client certificate in verify_peer mode
• Next message: [rabbitmq-discuss] Broker accepts self-signed client certificate in verify_peer mode
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Jiri,

On 11/08/10 07:41, jiri at krutil.com wrote:

[...]

>> The RabbitMQ server is configured to require a client certificate and
>> verify the chain of trust (see rabbitmq.config below). I'm using my
>> own CA that has a self-signed certificate. This is the only trusted
>> root CA certificate I'm using.
>>
>> RabbitMQ correctly accepts client certificates signed by my CA. But it
>> also accepts self-signed client certificates, which I think is
>> incorrect. I believe a self-signed client certificate should be
>> rejected because there is no chain of trust to the root CA certificate.

By default an unknown CA will not cause the connection to fail. The
default verify_fun ignores {bad_cert, unknown_ca} errors. You should
provide your own verify_fun that does not ignore {bad_cert, unknown_ca}.

Regards

Emile

• Previous message: [rabbitmq-discuss] Broker accepts self-signed client certificate in verify_peer mode
• Next message: [rabbitmq-discuss] Broker accepts self-signed client certificate in verify_peer mode
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]