True.
On Mon, Feb 20, 2012 at 10:15:34AM -0500, Bell, Paul M. wrote:
Most helpful, Alex, thank you.

I did not realize that there was no requirement to authenticate the server. Yet I must assume that, even in this case, server must be fitted with a certificate in order to accomplish encrypted symmetric key exchange with client and subsequent payload encryption.

True?

Thank again.

-Paul
On Feb 20, 2012, at 10:07 AM, "Alexandru Scvor?ov" wrote:

Hi Paul,
a. there is no requirement for mutual authentication, i.e., my clients need not carry their own certificates (I consider this an awkward deployment burden).
Correct. Authentication on both sides is optional. The broker can be
configured with {verify_peer, none} and {fail_if_no_peer_cert, false} so
that it accepts connection from anyone. Clients can be configured with
security managers (or whatever Java/.NET/Erlang calls them) to accept
connections to any broker.

So, you can have an un-authenticated, encrypted connection.
b. We should be able to distribute our corporate X.509 certificate (and private key, required by SSL) for use by Rabbit when clients authenticate it.
Yes, the broker needs access to the certificate and private key it was
configured with.
c. I *must* also provide the root certificate (e.g., Verisign) for our corporate certificate?
Assuming you want clients to authenticate the broker, yes.

Cheers,
Alex
On Mon, Feb 20, 2012 at 09:31:51AM -0500, Bell, Paul M. wrote:
Hello again,

By way of follow-up with Alexandru and the entire list, I've just been reading the piece at www.rabbitmq.com/ssl.html.

Do I rightly conclude that:

a. there is no requirement for mutual authentication, i.e., my clients need not carry their own certificates (I consider this an awkward deployment burden).
b. We should be able to distribute our corporate X.509 certificate (and private key, required by SSL) for use by Rabbit when clients authenticate it.
c. I *must* also provide the root certificate (e.g., Verisign) for our corporate certificate?

??

Please advise, thanks.

-Paul

-----Original Message-----
From: rabbitmq-discuss-bounces at lists.rabbitmq.com [mailto:rabbitmq-discuss-bounces at lists.rabbitmq.com] On Behalf Of Alexandru Scvortov
Sent: Monday, January 30, 2012 6:37 PM
To: rabbitmq-discuss at lists.rabbitmq.com
Subject: Re: [rabbitmq-discuss] Securing RabbitMQ

(posting again to the m/l)
Quick q: does RabbitMQ allow presenting a hashed password?
No. The authentication system is pluggable, though, so you could
easily write your own mechanism (see the src/rabbit_auth_mechanism_*
files in the broker source tree for examples).

Cheers,
Alex

On Mon, Jan 30, 2012 at 02:47:00PM -0500, Bell, Paul M. wrote:
Thank you both.

Quick q: does RabbitMQ allow presenting a hashed password?

For example, you can configure a filer to accept MD5 hashed passwords. The principal that wants to authenticate with the filer hashes its password via MD5 and places the hashed password on the wire to the filer.

-paul
On Jan 30, 2012, at 5:13 AM, "Alexandru Scvor?ov" wrote:

I tested this plugin some months ago and I found it very useful, my only concern is that it didn't support the CRL feature. The problem was due to the OpensSSL library used by erlang which didn't implement the CRL check, but AFAIK there was a plan to release a new version of that module from erlang team.
Is there some news about that?
As of R15B (released a month ago), they still don't support CRLs.

Cheers,
Alex
On Mon, Jan 30, 2012 at 09:43:40AM +0000, Rosa, Andrea wrote:
Hi
You could just not use passwords. If you use SSL connections, RabbitMQ
can authenticate users by the certificate they provide.

See the auth-mechanism-ssl plugin for details:
http://hg.rabbitmq.com/rabbitmq-auth-mechanism-ssl/file/default/README
I tested this plugin some months ago and I found it very useful, my only concern is that it didn't support the CRL feature. The problem was due to the OpensSSL library used by erlang which didn't implement the CRL check, but AFAIK there was a plan to release a new version of that module from erlang team.
Is there some news about that?

Cheers
--
Andrea Rosa
_______________________________________________
rabbitmq-discuss mailing list
rabbitmq-discuss at lists.rabbitmq.com
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss


ATTENTION: -----

The information contained in this message (including any files transmitted with this message) may contain proprietary, trade secret or other confidential and/or legally privileged information. Any pricing information contained in this message or in any files transmitted with this message is always confidential and cannot be shared with any third parties without prior written approval from Syncsort. This message is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any use, disclosure, copying or distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and/or Syncsort and destroy all copies of this message in your possession, custody or control.
_______________________________________________
rabbitmq-discuss mailing list
rabbitmq-discuss at lists.rabbitmq.com
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

Search Discussions

Discussion Posts

Previous

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 17 of 17 | next ›
Discussion Overview
grouprabbitmq-discuss @
categoriesrabbitmq
postedJan 28, '12 at 4:40p
activeFeb 20, '12 at 4:59p
posts17
users5
websiterabbitmq.com
irc#rabbitmq

People

Translate

site design / logo © 2018 Grokbase