root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions 2 Packages Projects Releases Wiki Activity
rabbitmq-server/deps/rabbitmq_auth_mechanism_ssl
History
Alexey Lebedeff 949b53543d Fix all dependencies for the dialyzer 
This is the latest commit in the series, it fixes (almost) all the
problems with missing and circular dependencies for typing.

The only 2 unsolved problems are:

- `lg` dependency for `rabbit` - the problem is that it's the only
  dependency that contains NIF. And there is no way to make dialyzer
  ignore it - looks like unknown check is not suppressable by dialyzer
  directives. In the future making `lg` a proper dependency can be a
  good thing anyway.

- some missing elixir function in `rabbitmq_cli` (CSV, JSON and
  logging related).

- `eetcd` dependency for `rabbitmq_peer_discovery_etcd` - this one
  uses sub-directories in `src/`, which confuses dialyzer (or our bazel
  machinery is not able to properly handle it). I've tried the latest
  rules_erlang which flattens directory for .beam files, but it wasn't
  enough for dialyzer - it wasn't able to find core erlang files. This
  is a niche plugin and an unusual dependency, so probably not worth
  investigating further.
 		2023-02-13 17:37:44 +01:00
..
src (c) year bump: 2022 => 2023 2023-01-01 23:17:36 -05:00
.gitignore Git: Ignore copied CLI 2019-12-12 13:25:15 +01:00
BUILD.bazel Fix all dependencies for the dialyzer 2023-02-13 17:37:44 +01:00
CODE_OF_CONDUCT.md Replace files with symlinks 2022-04-15 06:04:29 -07:00
CONTRIBUTING.md Replace files with symlinks 2022-04-15 06:04:29 -07:00
LICENSE Update LICENSE 2020-07-20 10:41:52 +01:00
LICENSE-MPL-RabbitMQ Revert drop of Exhibit B on MPL 2.0 2020-07-20 16:57:32 +01:00
Makefile Update Erlang.mk and switch to new xref code 2022-05-31 13:51:12 +02:00
README.md (c) year bump: 2022 => 2023 2023-01-01 23:17:36 -05:00

README.md

x509 (TLS/SSL) certificate Authentication Mechanism for RabbitMQ

This plugin allows RabbitMQ clients authenticate using x509 certificates and TLS (PKI) peer verification mechanism instead of credentials (username/password pairs).

How it Works

When a client connects and performs TLS upgrade, the username is obtained from the client's TLS (x509) certificate. The user's password is not checked.

In order to use this mechanism the client must connect with TLS enabled, and present a client certificate.

Usage

This mechanism must also be enabled in RabbitMQ's configuration file, see Authentication Mechanisms and Configuration guides for more details.

A couple of examples:

auth_mechanisms.1 = PLAIN
auth_mechanisms.1 = AMQPLAIN
auth_mechanisms.1 = EXTERNAL

to allow this mechanism in addition to the defaults, or:

auth_mechanisms.1 = EXTERNAL

to allow only this mechanism and prohibit connections that use username and passwords.

For safety the server must be configured with the SSL option 'verify' set to 'verify_peer', to ensure that if an SSL client presents a certificate, it gets verified.

Username Extraction from Certificate

Distinguished Name

By default this will set the username to an RFC 4514-ish string form of the certificate's subject's Distinguished Name, similar to that produced by OpenSSL's "-nameopt RFC 2253" option.

You can obtain this string form from a certificate with a command like:

openssl x509 -in path/to/cert.pem -nameopt RFC2253 -subject -noout

or from an existing amqps connection with commands like:

rabbitmqctl list_connections peer_cert_subject

Subject Alternative Name

To extract username from a Subject Alternative Name (SAN) field, a few settings need to be configured. Since a certificate can have more than one SAN field and they can represent identities of different types, the type and the index of the field to use must be provided.

For example, to use the first SAN value of type DNS:

auth_mechanisms.1 = EXTERNAL

ssl_cert_login_from      = subject_alternative_name
ssl_cert_login_san_type  = dns
ssl_cert_login_san_index = 0

Or of type email:

auth_mechanisms.1 = EXTERNAL

ssl_cert_login_from      = subject_alternative_name
ssl_cert_login_san_type  = email
ssl_cert_login_san_index = 0

Common Name

To use the Common Name instead, set rabbit.ssl_cert_login_from to common_name:

auth_mechanisms.1 = EXTERNAL

ssl_cert_login_from = common_name

Note that the authenticated user will then be looked up in the configured authentication / authorisation backend(s). This will be the internal node database by default but could include other backends if so configured.

Usage for MQTT Clients

To use this plugin with MQTT clients, set mqtt.ssl_cert_login to true:

# It makes no sense to allow or expect anonymous client connections
# with certificate-based authentication 
mqtt.allow_anonymous = false

# require the peer to provide a certificate, enforce certificate exchange
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true

# allow MQTT connections to compute their name from client certificate's CN
# (for simplicity: CN has been deprecated in favor of SAN for a long time)
mqtt.ssl_cert_login = true
ssl_cert_login_from = common_name

Copyright & License

(c) 2007-2023 VMware, Inc. or its affiliates.

Released under the same license as RabbitMQ.