[rabbitmq-discuss] ssl certificate to client lookup

Mark Steele msteele at beringmedia.com
Mon Jun 28 19:53:40 BST 2010


Here's a quick solution:

Just have your app load the client certificate on startup, extract the
common name, and add a header to your messages. It should be trivial to do
this in most programming languages.

The server is already validating that the certificate is valid at the
connection level, so there's no need for further verification.

Mark Steele
Director of development
Bering Media Inc.



On Mon, Jun 28, 2010 at 2:47 PM, Nathaniel Haggard <natester at gmail.com>wrote:

> On Mon, Jun 28, 2010 at 9:56 AM, Matthias Radestock
> <matthias at rabbitmq.com> wrote:
> > Lionel,
> >
> > Lionel Cons wrote:
> >>
> >> Matthew Sackman <matthew at rabbitmq.com> writes:
> >>>
> >>> On Thu, Jun 24, 2010 at 03:13:20PM -0600, Nathaniel Haggard wrote:
> >>>>
> >>>> It would be nice if rabbitmq set a header in messages with some
> >>>> metadata from the x509 certificate used to establish the ssl
> >>>> connection.
> >>>
> >>> Err, why?
> >>
> >> FWIW, we currently rely on this functionality: we use X.509 for
> >> authetication and we need to track down who sent a given message
> >> (think JMSXUserID as per http://activemq.apache.org/jmsxuserid.html).
> >
> > Couldn't you simply get the sender to sign the message and the recipient
> to
> > verify the signature? That requires the recipients to know the public
> keys
> > of the senders, but I suspect in most systems where recipients care about
> > the sender identity that would not be hard to arrange.
> >
> > Matthias.
>
> For my use case I could do that, but RabbitMQ is already verifying
> client certificates.  RabbitMQ is already verifying client
> certificates.  See
>
> [
>  {rabbit, [
>    {ssl_listeners, [{"0.0.0.0",5671}]},
>    {ssl_options, [{cacertfile,"/opt/rabbitmq/keys/ca.crt"},
>                   {certfile,"/opt/rabbitmq/keys/x.x.x.x.crt"},
>                   {keyfile,"/opt/rabbitmq/keys/x.x.x.x.key"},
>                   {verify,verify_peer},
>                   {fail_if_no_peer_cert,true}]}
>  ]}
> ].
>
> We plan to have thousands of clients connecting to RabbitMQ each with
> a different certificate and the same username.  Someone on this list
> didn't recommend managing that many users.
>
> Ideally Rabbit would pass along CNAME from a producer and the consumer
> would verify CNAME is good.
>
> (Sorry if you got this twice Matthias)
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20100628/a062ac50/attachment-0001.htm>


More information about the rabbitmq-discuss mailing list