[rabbitmq-discuss] ssl certificate to client lookup

Nathaniel Haggard natester at gmail.com
Mon Jun 28 19:47:13 BST 2010

On Mon, Jun 28, 2010 at 9:56 AM, Matthias Radestock
<matthias at rabbitmq.com> wrote:
> Lionel,
> Lionel Cons wrote:
>> Matthew Sackman <matthew at rabbitmq.com> writes:
>>> On Thu, Jun 24, 2010 at 03:13:20PM -0600, Nathaniel Haggard wrote:
>>>> It would be nice if rabbitmq set a header in messages with some
>>>> metadata from the x509 certificate used to establish the ssl
>>>> connection.
>>> Err, why?
>> FWIW, we currently rely on this functionality: we use X.509 for
>> authetication and we need to track down who sent a given message
>> (think JMSXUserID as per http://activemq.apache.org/jmsxuserid.html).
> Couldn't you simply get the sender to sign the message and the recipient to
> verify the signature? That requires the recipients to know the public keys
> of the senders, but I suspect in most systems where recipients care about
> the sender identity that would not be hard to arrange.
> Matthias.

For my use case I could do that, but RabbitMQ is already verifying
client certificates.  RabbitMQ is already verifying client
certificates.  See

 {rabbit, [
    {ssl_listeners, [{"",5671}]},
    {ssl_options, [{cacertfile,"/opt/rabbitmq/keys/ca.crt"},

We plan to have thousands of clients connecting to RabbitMQ each with
a different certificate and the same username.  Someone on this list
didn't recommend managing that many users.

Ideally Rabbit would pass along CNAME from a producer and the consumer
would verify CNAME is good.

(Sorry if you got this twice Matthias)

More information about the rabbitmq-discuss mailing list