[rabbitmq-discuss] Broker accepts self-signed client certificate in verify_peer mode

Emile Joubert emile at rabbitmq.com
Wed Aug 11 10:38:22 BST 2010

Hi Jiri,

On 11/08/10 07:41, jiri at krutil.com wrote:


>> The RabbitMQ server is configured to require a client certificate and
>> verify the chain of trust (see rabbitmq.config below). I'm using my
>> own CA that has a self-signed certificate. This is the only trusted
>> root CA certificate I'm using.
>> RabbitMQ correctly accepts client certificates signed by my CA. But it
>> also accepts self-signed client certificates, which I think is
>> incorrect. I believe a self-signed client certificate should be
>> rejected because there is no chain of trust to the root CA certificate.

By default an unknown CA will not cause the connection to fail. The
default verify_fun ignores {bad_cert, unknown_ca} errors. You should
provide your own verify_fun that does not ignore {bad_cert, unknown_ca}.



More information about the rabbitmq-discuss mailing list