[rabbitmq-discuss] x509 Authentication

Warren Smith wsmith at tacc.utexas.edu
Thu Jan 5 14:44:22 GMT 2012

The reason that I ended up removing quotes from DNs is because (if I remember correctly) for the same certificate, a DN from Erlang would sometimes have quotes but the DN from openssl would not. I was using a script that invoked "openssl x509 -in <cert.pem> -subject" and then "rabbitmqctl add_user ...; rabbitmqctl set_permissions ..." to add users to rabbitmq. I couldn't quickly figure out a pattern when erlang added quotes (it wasn't as simple as the RDN having a space in it), so I just stripped them all out in the DN received by my modified rabbitmq_auth_mechanism_ssl.

I agree that this type of DN cleanup isn't really required, but it made things easier for me and apparently for Lionel, also.


-----Original Message-----
From: rabbitmq-discuss-bounces at lists.rabbitmq.com [mailto:rabbitmq-discuss-bounces at lists.rabbitmq.com] On Behalf Of Simon MacMullen
Sent: Thursday, January 05, 2012 4:33 AM
To: rabbitmq-discuss at lists.rabbitmq.com
Subject: Re: [rabbitmq-discuss] x509 Authentication

On 21/12/11 07:22, Lionel Cons wrote:
> It would really be good to improve X.509 authentication in a 
> consistent way in RabbitMQ. Things I can think of:
>   - use common code between AMQP and STOMP


>   - use DN rather than CN, maybe via a configurable option


>   - standard DN cleanup (such as your quotes removal)

Umm, really? The question of how to canonically construct a string representation of a DN is annoyingly fiddly, but I really don't believe removing quotes is likely to be a part of it.

We'd probably have to aim for "whatever OpenSSL does" and "whatever Active Directory does" as goals for how to do it. Let us pray to the god of ASN.1 (some sort of Eldritch abomination I'm sure) that both of those are the same thing...

Cheers, Simon

Simon MacMullen
RabbitMQ, VMware
rabbitmq-discuss mailing list
rabbitmq-discuss at lists.rabbitmq.com

More information about the rabbitmq-discuss mailing list