Supporting both SSL+Password as well as SSL+Certificate based authentication

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Supporting both SSL+Password as well as SSL+Certificate based authentication

vish.ramachandran
We have a use case where we want to support both
1. "External" passwordless certificate based authentication based on rabbitmq-auth-mechanism-ssl plugin
2. "Plain" password based authentication with SSL turned on without client needing to present a certificate. This is precisely what is described at https://www.rabbitmq.com/ssl.html#enabling-ssl example.

Below is the configuration in question.

[
  {rabbit, [
     {ssl_listeners, [5671]},
     {ssl_options, [{cacertfile,"/opt/ssl4/cacert.pem"},
                    {certfile,"/opt/ssl4/cert.pem"},
                    {keyfile,"/opt/ssl4/key.pem"},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,true}]},
     {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']},
     {ssl_cert_login_from, common_name}
  ]}
].


With above configuration, use case #1 is possible, however use case #2 fails when client does not present a certificate since fail_if_no_peer_certificate is set to true.

If I change fail_if_no_peer_certificate to false, use case #2 works, use case #1 fails with an "unsafe configuration error".

Can we configure RMQ to support both by
1. verifying the certificate if one is presented along with request to do external authentication
2. expect username/password if certificate is not presented and plain authentication is chosen
3. Fail if external authentication is chosen and no certificate is presented

It does not seem right to mandate that password based clients also present valid certificate. If they could, then there is no need for password based authentication.







Reply | Threaded
Open this post in threaded view
|

Re: Supporting both SSL+Password as well as SSL+Certificate based authentication

Simon MacMullen-2
On 16/04/2014 22:38, vish.ramachandran wrote:
> It does not seem right to mandate that password based clients also present
> valid certificate. If they could, then there is no need for password based
> authentication.

I'm afraid that is the requirement at the moment. A future release may
improve this situation.

Cheers, Simon

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Supporting both SSL+Password as well as SSL+Certificate based authentication

vish.ramachandran


On Thu, Apr 17, 2014 at 4:55 AM, Simon MacMullen <[hidden email]> wrote:
On 16/04/2014 22:38, vish.ramachandran wrote:
It does not seem right to mandate that password based clients also present
valid certificate. If they could, then there is no need for password based
authentication.

I'm afraid that is the requirement at the moment. A future release may improve this situation.

Cheers, Simon



_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Supporting both SSL+Password as well as SSL+Certificate based authentication

Simon MacMullen-2
On 04/06/14 16:31, Viswanathan Ramachandran wrote:
> Can you please confirm if 3.3.2 will have this bug fix as well?

Yes, it will.

Cheers, Simon

--
Simon MacMullen
RabbitMQ, Pivotal
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Supporting both SSL+Password as well as SSL+Certificate based authentication

vish.ramachandran
Thanks for the quick turnaround on the fix.