[rabbitmq-discuss] rabbitmq-c and SimpleAmqpClient SSL authentication

Dushin Fred fred at dushin.net
Sun Mar 30 21:29:32 BST 2014


Hi Folks,

I have run into two issues with the (admittedly unsupported) rabbitmq-c and SimpleAmqpClient libraries.  (I realize I am hijacking the RabbtiMQ mailing list for this topic, but I am guessing the Pivotal folks don't mind, because this should result in an improvement of the overall RabbitMQ ecosystem.)

The first issue is with the SimpleAmqpClient library.  It appears that there is no knob in the Channel::CreateSecureChannel operation to disable hostname verification of the RabbitMQ server.  There is a knob in the rabbitmq-c API (amqp_ssl_socket_set_verify), but you need a socket to call it, and the only reasonable place to do that is in the Channel constructor.  I am including a patch off the github 2.3 tag for doing just that, though for some reason I did not track down, I could not get boost::make_shared take my new constructor signature, so I just used the shared_ptr constructor in the raw.  That may not fit the current model, but it seems harmless for testing.

> Note.  The reason we should allow disabling hostname verification is that there are tightly constrained deployments in which it is unreasonable to expect the RabbitMQ server certificate to correspond with the hostname of the machine on which the server is deployed.  Besides, I would argue that hostname verification is really targeted at e-commerce scenarios -- if you look at the history, it really came out of HTTP, where users needed some mechanism over the relatively weak trust model implemented in Web Browsers.  (Who ever takes the time to scour their operating systems trust store, anyway?)

The second issue has to do with client certificate authentication and the use of the EXTERNAL authentication mechanism.  I have been unable to get my C++ clients to authenticate and authorize using the rabbitmq-auth-mechanism-ssl plugin to a RabbitMQ server which is configured to support the EXTERNAL authentication mechanism.  (I can get an Erlang client to authorize to the same server and using the same client certificates, so I am confident it is not a server-side configuration issue.)

If I look at the rabbitmq-c code, I see that the C client library and API only seems to support the PLAIN SASL method.  For example, see the sasl_response definition at [1].

I would assume we'd need to add something similar, in order to support the EXTERNAL SASL mechanism.  (It looks to be supported in the Java APIs, as well, looking at the Javadoc [2]).  If so, would I need to start here to nail down the command protocol for EXTERNAL?  (I am guessing reverse engineering one of the supported client libraries would be the way forward here.)  Any pointers to docs on the EXTERNAL mechanism (at least WRT SSL client auth) or existing code would be greatly appreciated.

Thanks,

-Fred

[1] https://github.com/alanxz/rabbitmq-c/blob/master/librabbitmq/amqp_socket.c
[2] http://www.rabbitmq.com/releases/rabbitmq-java-client/v3.2.4/rabbitmq-java-client-javadoc-3.2.4/com/rabbitmq/client/DefaultSaslConfig.html#EXTERNAL
[3] http://www.rabbitmq.com/amqp-0-9-1-reference.html#class.connection

encl.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch.diff
Type: application/octet-stream
Size: 2541 bytes
Desc: not available
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140330/080e29fc/attachment.obj>


More information about the rabbitmq-discuss mailing list