Hello,

I've been trying out RabbitMQ over the past month and I must say I'm
impressed, especially with the management and STOMP plugins. Well done!

I decided that using SSL client certificates is important for the kind of
deployment I'm working on, so I created a patch (attached to this email)
that enables the STOMP plugin to authenticate clients using the CN field of
SSL client certificates, similar to the rabbitmq_auth_mechanism_ssl plugin.
The patch is based on the 2.7.1 release tag. I have tested it by hand and
it seems to do the trick. I hope it can be integrated into the next release
of RabbitMQ; please let me know if there are problems I ought to fix.

To use the new feature, add ssl_cert_login to the default_user options of
the rabbitmq_stomp options in rabbitmq.config, then configure the STOMP
client to omit the login and passcode headers from the CONNECT frame. Here
is a sample rabbitmq.config:

[
{rabbit, [
{ssl_options, [
{cacertfile, "mq/ca/ca.crt"},
{certfile, "mq/server/rabbitmq-dev.crt"},
{keyfile, "mq/server/rabbitmq-dev.key"},
{verify, verify_peer},
{fail_if_no_peer_cert, true}
]}
]},
{rabbitmq_stomp, [
{tcp_listeners, [61613]},
{ssl_listeners, [61614]},
{default_user, [ssl_cert_login]}
]}
].

Shane

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20120216/5b1a4f80/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rabbit_stomp_ssl_cert_login.patch
Type: text/x-diff
Size: 11095 bytes
Desc: not available
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20120216/5b1a4f80/attachment.patch>

Search Discussions

  • Lionel Cons at Feb 20, 2012 at 7:47 am

    Shane Hathaway <shane.hathaway at gmail.com> writes:
    I decided that using SSL client certificates is important for the kind of
    deployment I'm working on, so I created a patch (attached to this email)
    Shane,

    It's good to see others interested in good X.509 authentication in RabbitMQ.

    IMHO, improvements in this area should follow what has already been discussed:
    http://groups.google.com/group/rabbitmq-discuss/browse_thread/thread/3c490aa6ab2b6c11/fdf693d284916526
    in particular: flexibility (CNs are not suitable in some envirnonments, DNs
    look more versatile) and uniformity (same Erlang code for AMQP, STOMP &
    management interfaces).

    Cheers,

    Lionel
  • Simon MacMullen at Feb 20, 2012 at 11:40 am

    On 20/02/12 07:47, Lionel Cons wrote:
    Shane Hathaway<shane.hathaway at gmail.com> writes:
    I decided that using SSL client certificates is important for the kind of
    deployment I'm working on, so I created a patch (attached to this email)
    Shane,

    It's good to see others interested in good X.509 authentication in RabbitMQ.

    IMHO, improvements in this area should follow what has already been discussed:
    http://groups.google.com/group/rabbitmq-discuss/browse_thread/thread/3c490aa6ab2b6c11/fdf693d284916526
    in particular: flexibility (CNs are not suitable in some envirnonments, DNs
    look more versatile) and uniformity (same Erlang code for AMQP, STOMP&
    management interfaces).
    Aye, there's the rub.

    So this is a problem with Shane's patch (sorry Shane). It was made
    against 2.7.1 and contains some code copied from
    rabbitmq-auth-mechanism-ssl. But:

    * On default this code has changed to support DNs and somewhat support
    multiple CNs.

    * This code really should be pulled into the broker and shared.

    I'm not sure how fair it is to ask Shane to do this (it's rather more
    intrusive), so I'll have a look at doing it myself...

    Cheers, Simon

    --
    Simon MacMullen
    RabbitMQ, VMware
  • Shane Hathaway at Feb 20, 2012 at 1:05 pm
    [Switching to my preferred email address now that I've signed up
    properly for the mailing list.]
    On 02/20/2012 04:40 AM, Simon MacMullen wrote:
    On 20/02/12 07:47, Lionel Cons wrote:
    It's good to see others interested in good X.509 authentication in
    RabbitMQ.

    IMHO, improvements in this area should follow what has already been
    discussed:
    http://groups.google.com/group/rabbitmq-discuss/browse_thread/thread/3c490aa6ab2b6c11/fdf693d284916526

    in particular: flexibility (CNs are not suitable in some
    envirnonments, DNs
    look more versatile) and uniformity (same Erlang code for AMQP, STOMP&
    management interfaces).
    Thanks for the review and the pointer to the email threads. I can see
    the value of using DNs.
    Aye, there's the rub.

    So this is a problem with Shane's patch (sorry Shane). It was made
    against 2.7.1 and contains some code copied from
    rabbitmq-auth-mechanism-ssl. But:

    * On default this code has changed to support DNs and somewhat support
    multiple CNs.

    * This code really should be pulled into the broker and shared.

    I'm not sure how fair it is to ask Shane to do this (it's rather more
    intrusive), so I'll have a look at doing it myself...
    I'm glad to hear that. I can contribute if it would help get this into
    the next release; just give me specific instructions.

    Shane
  • Simon MacMullen at Feb 20, 2012 at 5:14 pm

    On 20/02/12 13:05, Shane Hathaway wrote:
    I'm glad to hear that. I can contribute if it would help get this into
    the next release; just give me specific instructions.
    Well, I've just hacked on this myself. If you want to test it that would
    be cool. You'll need branch bug24182 of the stomp plugin and the broker
    (and any other plugins will need to be from default, not 2.7.1).

    The config is the same as yours was BUT:

    * ssl_cert_login is moved "up" from inside default_user:

    [
    {rabbitmq_stomp, [{ssl_cert_login, true}]}
    ].

    (as is implicit_connect if you use that).

    * It uses DNs by default, add

    {rabbit, [{ssl_cert_login_from, common_name}]}

    to use CNs.

    Cheers, Simon

    --
    Simon MacMullen
    RabbitMQ, VMware

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouprabbitmq-discuss @
categoriesrabbitmq
postedFeb 16, '12 at 8:09p
activeFeb 20, '12 at 5:14p
posts5
users4
websiterabbitmq.com
irc#rabbitmq

People

Translate

site design / logo © 2022 Grokbase