[rabbitmq-discuss] Authenticate client using certificate only

Tue Aug 17 10:35:31 BST 2010

Jiri,

On 17/08/10 08:36, jiri at krutil.com wrote:
> I was wondering if it is possible to configure the broker in a way that
> it will authenticate clients connecting over SSL using the client
> certificate only, without username and password?

This has been considered, but there are no concrete implementation plans 
for such a feature.

> Let's say the client connects over SSL and presents a signed certificate
> containing the client user name in the certificate subject's Common
> Name. If the broker can establish a chain of trust to a configured root
> CA cert, the client identity is verified, which in my opinion completes
> the authentication. It then does not really make sense to require a
> username and a password.

In some specific use cases you might indeed want to associate AMQP user 
identifies with a certificate's CN. In the general case though you'd 
probably want to allow for a many-to-many mapping.

> Imagine a client connects using a trusted certificate for client A, but
> then provides a valid username/password combination for client B. Which
> client is it then?

Neither the certificate not the username/password carry intrinsically 
identify a client. That identification is only the result of a specific 
interpretation of the data. The way one chooses to interpret the 
information determines whether particular combinations make sense or 
not. So, for example, a CN might identify an organisation and the 
username/password a particular application or individual within that 
organisation. Many other interpretations are possible.

Regards,

Matthias.