Merge branch 'stable'

Conflicts:
	README.md

deps/rabbitmq_auth_mechanism_ssl/README.md

@@ -1,35 +1,61 @@
 # x509 (TLS/SSL) certificate Authentication Mechanism for RabbitMQ
 
-Authenticates the user, obtaining the username from the client's
+This plugin allows RabbitMQ clients authenticate using x509 certificates
-SSL certificate. The user's password is not checked.
+and TLS (PKI) [peer verification mechanism](https://tools.ietf.org/html/rfc5280#section-6)
+instead of credentials (username/password pairs).
 
-In order to use this mechanism the client must connect over SSL, and
+
+## How it Works
+
+When a client connects and performs TLS upgrade, 
+the username is obtained from the client's
+TLS (x509) certificate. The user's password is not checked.
+
+In order to use this mechanism the client must connect with TLS enabled, and
 present a client certificate.
 
-The mechanism must also be enabled in RabbitMQ's configuration file -
+
-see [TLS Authentication guide](http://www.rabbitmq.com/authentication.html) for more details, or
+## Usage
-in short, ensure that the 'rabbit' section of your configuration
+
-contains:
+This mechanism must also be enabled in RabbitMQ's configuration file,
+see [Authentication Mechanisms](http://www.rabbitmq.com/authentication.html) and
+[Configuration](http://www.rabbitmq.com/configure.html) guides for
+more details.
+
+A couple of examples:
 
 ``` erlang
-{auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']}
+[
+  {rabbit, [
+    {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']}
+  ]}
+].
 ```
 
 to allow this mechanism in addition to the defaults, or:
 
 ``` erlang
-{auth_mechanisms, ['EXTERNAL']}
+[
+  {rabbit, [
+    {auth_mechanisms, ['EXTERNAL']}
+  ]}
+].
 ```
 
-to allow only this mechanism.
+to allow only this mechanism and prohibit connections that use
+username and passwords.
 
 For safety the server must be configured with the SSL option 'verify'
 set to 'verify_peer', to ensure that if an SSL client presents a
 certificate, it gets verified.
 
-By default this will set the username to an RFC4514-ish string form of
+### Username Extraction from Certificate
+
+#### Distinguished Name
+
+By default this will set the username to an [RFC 4514](https://tools.ietf.org/html/rfc4514)-ish string form of
 the certificate's subject's Distinguished Name, similar to that
-produced by OpenSSL's "-nameopt RFC2253" option.
+produced by OpenSSL's "-nameopt [RFC 2253"](https://tools.ietf.org/html/rfc2253) option.
 
 You can obtain this string form from a certificate with a command like:
 
@@ -43,20 +69,27 @@ or from an existing amqps connection with commands like:
 rabbitmqctl list_connections peer_cert_subject
 ```
 
-To use the Common Name instead, ensure that the 'rabbit' section of
+#### Common Name
-your configuration contains:
+
+To use the Common Name instead, set `rabbit.ssl_cert_login_from` to `common_name`:
 
 ```
-{ssl_cert_login_from, common_name}
+[
+  {rabbit, [
+    {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']},
+    {ssl_cert_login_from, common_name}
+  ]}
+].
 ```
 
 Note that the authenticated user will then be looked up in the
-configured authentication / authorisation backend(s) - this will be
+[configured authentication / authorisation backend(s)](http://www.rabbitmq.com/access-control.html). This will be
-the mnesia-based user database by default, but could include other
+the internal node database by default but could include other
 backends if so configured.
 
+
 ## Copyright & License
 
-(c) Pivotal Software Inc., 2007-2016.
+(c) Pivotal Software Inc., 2007 — 2017.
 
 Released under the same license as RabbitMQ.