Security Concern with Client Certificate Validation with trusted certificates in RabbitMQ

[B Nagaraju Reddy]

Hi Team,

I am using RabbitMQ with TLS and have successfully configured it to use certificates signed by a trusted CA. The setup works correctly, and clients using certificates issued by this CA can connect to the RabbitMQ server. However, I have encountered a potential security issue.

Problem

I have two sets of certificates:

1. A set specifically issued for RabbitMQ clients (configured with the RabbitMQ server).
2. Another set of certificates signed by the same trusted root CA, but intended for a different purpose.

Currently, any client that provides a certificate signed by the trusted CA—regardless of its intended purpose—can connect to the RabbitMQ server.  I don't have such issue when RabbitMQ is configured with self-signed certificates because self-signed CA is the issuer itself.

I am enabling both below options in RMQ SSL configuration:

ssl_options.verify = verify_peer 

ssl_options.fail_if_no_peer_cert = true

How can I configure RabbitMQ to restrict client access to only certificates explicitly issued for this RabbitMQ instance ? 

Thanks,
Nagaraju

[Luke Bakken]

Hello, thanks for using RabbitMQ.

Please carefully read our community support guidelines:

https://github.com/rabbitmq/rabbitmq-server/blob/main/COMMUNITY_SUPPORT.md#who-is-eligible-for-community-support

Your question falls outside the scope for free support from Team RabbitMQ, but since it is a question that may help other RabbitMQ users, I will give input. 

Currently, any client that provides a certificate signed by the trusted CA—regardless of its intended purpose—can connect to the RabbitMQ server

Yes, this is how X509 certificate authentication works. This isn't just RabbitMQ's behavior, by the way.

How can I configure RabbitMQ to restrict client access to only certificates explicitly issued for this RabbitMQ instance

You would have to introduce an intermediate CA to sign the certs used by your RabbitMQ clients.

Or, you can use X509 certificate authentication and password authentication. Use a username/password that is only known to your RabbitMQ client applications.

Thanks,

Luke

[B Nagaraju Reddy]

Hello Luke,

I sincerely appreciate the time and effort you took to address my questions. Your insights and suggestions were  helpful and gave me clarity.

Thanks,
Nagaraju

[B Nagaraju Reddy]

Hello Luke,

Thank you again for your previous response — it was very helpful in framing the issue more clearly.

As a follow-up, I wanted to share that I tried introducing an intermediate CA specifically for signing RabbitMQ client certificates, as you suggested. However, RabbitMQ still accepts client certificates signed by any intermediate or directly by the root CA, not just the designated intermediate.

I went through the RabbitMQ and Erlang SSL documentation and double-checked the configuration. I'm already using the following:

ssl_options.verify = verify_peer

ssl_options.fail_if_no_peer_cert = true

I’m also using username and password authentication alongside client certificates.

From what I gather, RabbitMQ validates the certificate chain up to a trusted root CA, and as long as the chain is valid, it doesn't enforce restrictions on which intermediate CA was used, which is what I’d like to do.

I also looked into rabbitmq_auth_mechanism_ssl, but I am trying to solve this issue with intermediate CA.

The root of the problem is that when I use a trusted CA (e.g., a public or internal enterprise CA), the Root CA might have signed many certificates for different systems and purposes. Since RabbitMQ trusts any certificate that chains up to the trusted root, any certificate signed by that CA (or its intermediates) is accepted — even if it wasn't intended for RabbitMQ access.

This becomes a security concern, as RabbitMQ can't distinguish between certificates meant for it and others issued for different services within the organization.

My Question:

How can I configure RabbitMQ to only accept client certificates signed by a specific intermediate CA, even if multiple intermediates chain to the same trusted root? Or rabbitmq_auth_mechanism_ssl is the only way forward for my usecase?

Thanks again for your help.

Best regards,
Nagaraju

[Luke Bakken]

From what I gather, RabbitMQ validates the certificate chain up to a trusted root CA, and as long as the chain is valid, it doesn't enforce restrictions on which intermediate CA was used, which is what I’d like to do.

I also looked into rabbitmq_auth_mechanism_ssl, but I am trying to solve this issue with intermediate CA.

The root of the problem is that when I use a trusted CA (e.g., a public or internal enterprise CA), the Root CA might have signed many certificates for different systems and purposes. Since RabbitMQ trusts any certificate that chains up to the trusted root, any certificate signed by that CA (or its intermediates) is accepted — even if it wasn't intended for RabbitMQ access.

I'm assuming that you have concatenated your Root CA and intermediate into the cacertfile file.

I've never tried it, but see what happens if you only have the intermediate CA you wish to use. I'm guessing that it probably won't work, but it's worth a try.

Your next step would be to start a discussion here to see if the feature you need could be implemented - https://github.com/rabbitmq/rabbitmq-server/discussions

Please note that you must provide everything needed to observe the same behavior as what you describe. You can use this project to generate certs - https://github.com/rabbitmq/tls-gen/tree/main/one_intermediate

Good luck!

Luke

[B Nagaraju Reddy]

Hi Luke,

I have tried with only the intermediate certificate, and as you guessed, it didn't work.

After doing some research on client certificate authentication in RabbitMQ, I came across this helpful article:
🔗 https://cjshelton.github.io/blog/2019/12/18/rabbitmq-client-certificate-authentication.html

Since I am aiming for client authentication, I am currently exploring the rabbitmq-auth-mechanism-ssl plugin to achieve this.

Regards,
Nagaraju