common_name is ingored and whole DN is used for EXTERNAL SSL auth

[Sergei Franco]

Hi

I have stumbled upon an interesting problem with rabbitmq-server version 3.5.7-1ubuntu0.16.04.1 (Ubuntu 16.04 LTS 64bit).

The problem seems to be that rabbitmq ignores common_name settings for SSL auth.
Here is the relevant config:

   {ssl_listeners, [{'0.0.0.0',5671}]},
   
   {ssl_options, [{cacertfile,"/etc/rabbitmq/server/cacert.pem"},
                  {certfile,"/etc/rabbitmq/server/cert.pem"},
                  {keyfile,"/etc/rabbitmq/server/key.pem"},
                  {verify,verify_peer},
                  {ssl_cert_login_from,common_name},              
                  {fail_if_no_peer_cert,false}]},

Here is the error message:

{handshake_error,starting,0,
                 {amqp_error,access_refused,
                             "EXTERNAL login refused: user 'O=client,CN=Client' - invalid credentials",
                             'connection.start_ok'}

When user is added as the whole DN (eg. : 'O=client,CN=Client'), then auth succeeds, otherwise if using 'Client' as username it fails with error from above.

Any ideas?

Sergei.

[Michael Klishin]

Are you looking to use Common Name for username?

If so, you can, just set `rabbit.ssl_cert_login_from` to `common_name` in the config. Valid values

are `common_name` and `distinguished_name`, the latter is used by default.

Curiously this has been around for years but is not mentioned in the x509 certificate authentication guide :(

https://github.com/rabbitmq/rabbitmq-server/blob/5f020264b9507e2a9a7e024cc6bb9a47df0200ee/src/rabbit_ssl.erl#L54

http://www.rabbitmq.com/authentication.html

We will mention it and add a couple of examples.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Sergei Franco]

Yes!

Thank you!

I will try this once I have a chance and will report back.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

Best regards.


Sergei.

[Sergei Franco]

Hi,

There was nothing wrong with rabbitmq, {ssl_cert_login_from,common_name} was not in the right place. Rookie mistake.

Thank you very much for pointing in the right direction!

The mistake was a bit embarrassing, and very simple: we put the {ssl_cert_login_from,common_name} inside of {ssl_options ...} block. It should be on its own...

Now it is all working!

Best regards.

Sergei.

On Saturday, 10 June 2017 00:46:24 UTC+12, Michael Klishin wrote:

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Michael Klishin]

Hi Sergei,

Thank you for reporting back.

I updated the examples in https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl while documenting

the key. The new examples should provide a bit more context. Let me know what you think.

Cheers.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Sergei Franco]

 Hi Michael,

Documentation looks great!

Thank you very much!


Sergei.