[rabbitmq-discuss] Authenticate client using certificate only
matthias at rabbitmq.com
Tue Aug 17 10:35:31 BST 2010
On 17/08/10 08:36, jiri at krutil.com wrote:
> I was wondering if it is possible to configure the broker in a way that
> it will authenticate clients connecting over SSL using the client
> certificate only, without username and password?
This has been considered, but there are no concrete implementation plans
for such a feature.
> Let's say the client connects over SSL and presents a signed certificate
> containing the client user name in the certificate subject's Common
> Name. If the broker can establish a chain of trust to a configured root
> CA cert, the client identity is verified, which in my opinion completes
> the authentication. It then does not really make sense to require a
> username and a password.
In some specific use cases you might indeed want to associate AMQP user
identifies with a certificate's CN. In the general case though you'd
probably want to allow for a many-to-many mapping.
> Imagine a client connects using a trusted certificate for client A, but
> then provides a valid username/password combination for client B. Which
> client is it then?
Neither the certificate not the username/password carry intrinsically
identify a client. That identification is only the result of a specific
interpretation of the data. The way one chooses to interpret the
information determines whether particular combinations make sense or
not. So, for example, a CN might identify an organisation and the
username/password a particular application or individual within that
organisation. Many other interpretations are possible.
More information about the rabbitmq-discuss