[rabbitmq-discuss] Broker accepts self-signed client certificate in verify_peer mode

• Previous message: [rabbitmq-discuss] Broker accepts self-signed client certificate in verify_peer mode
• Next message: [rabbitmq-discuss] Broker accepts self-signed client certificate in verify_peer mode
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 11, 2010 at 07:04:31PM +0200, jiri at krutil.com wrote:
> I also believe that the default behaviour should be to reject client
> certs signed by an untrusted CA. I found the current functionality
> quite surprising and potentially dangerous.

Yes. I assure you this was not the behaviour of Erlang when I wrote the
SSL guide. Unfortunately, a fix is not going to happen in time for the
next release, but we're going to chase the Erlang SSL module authors to
see if there's any reason for this behaviour, and I hope will change it
either in their code or ours. I agree with you that with verify_peer on,
the broker *must not* blindly trust *any* certs without being able to
establish a chain of trust to the presented cert.

Matthew

• Previous message: [rabbitmq-discuss] Broker accepts self-signed client certificate in verify_peer mode
• Next message: [rabbitmq-discuss] Broker accepts self-signed client certificate in verify_peer mode
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]