[rabbitmq-discuss] rabbitmq_auth_mechanism_ssl limitations

• Previous message: [rabbitmq-discuss] rabbitmq_auth_mechanism_ssl limitations
• Next message: [rabbitmq-discuss] rabbitmq_auth_mechanism_ssl limitations
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I actually ended up tweaking the rabbitmq_auth_mechanism_ssl to do exactly this. In my situation, there are 100s of users of our overall infrastructure and they get their certificates from multiple certificate authorities, so it is quite possible for 2 different users to have the same CN.

All I ended up doing to the DN is removing the quotes and calling the result the RabbitMQ username. I can handle escaping the spaces in the DN, but Erlang seems to put quotes in different places than openssl and that would have made it difficult to automate things.

This has been working fine so far, but I'm still in the prototype stage so I only have a handful of users added. The usernames are quite long, but I don't think this will be a big deal for me since I can script a lot of the user management.


Warren


-----Original Message-----
From: rabbitmq-discuss-bounces at lists.rabbitmq.com [mailto:rabbitmq-discuss-bounces at lists.rabbitmq.com] On Behalf Of Simon MacMullen
Sent: Tuesday, July 05, 2011 8:18 AM
To: rabbitmq-discuss at lists.rabbitmq.com
Subject: Re: [rabbitmq-discuss] rabbitmq_auth_mechanism_ssl limitations

On 05/07/11 14:01, Massimo Paladin wrote:
> This looks like limiting to certificates with only one and unique CN. Am
> I wrong?

Yes, that's correct.

A future enhancement could be to allow rabbitmq_auth_mechanism_ssl to 
use the DN instead - after all, that's really what it's for.

However, the (substantial) speedbump here is that RabbitMQ requires each 
user to have a user name, and each user name to be a string (I really 
wouldn't want to change that, implications would be far-reaching). But a 
DN isn't a string, it's an ASN.1 mess. And while there are a bunch of 
ways to convert that to a string, there's no good *canonical* way of 
doing it that I'm aware of.

But I'm not a great expert in x509 / ASN.1. I don't know if you are or 
not :) but what would you do?

Cheers, Simon

-- 
Simon MacMullen
RabbitMQ, VMware
_______________________________________________
rabbitmq-discuss mailing list
rabbitmq-discuss at lists.rabbitmq.com
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

• Previous message: [rabbitmq-discuss] rabbitmq_auth_mechanism_ssl limitations
• Next message: [rabbitmq-discuss] rabbitmq_auth_mechanism_ssl limitations
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]