How to validate client certificate by thumbprint/subjectname in Rabbitmq ssl?

292 views
Skip to first unread message

Srikanth P Vasist

unread,
Jun 11, 2015, 9:19:47 AM6/11/15
to rabbitm...@googlegroups.com

Hi,

{verify,verify_peer}

This does a full chain validation of the client certificate. I actually want to validate based on thumbprint.

Is it possible?

Or can we run a custom validation script?


Please help.


Thanks,

Srikanth P Vasist

Michael Klishin

unread,
Jun 11, 2015, 9:25:22 AM6/11/15
to rabbitm...@googlegroups.com, Srikanth P Vasist
 On 11 June 2015 at 16:19:49, Srikanth P Vasist (spva...@gmail.com) wrote:
> {verify,verify_peer}
>
> This does a full chain validation of the client certificate.
> I actually want to validate based on thumbprint.
>
>
> Is it possible?
>
>
> Or can we run a custom validation script?

It is possible but not very easy.

You can provide an Erlang function as one of the ssl_options:
search for verify_fun on http://www.erlang.org/doc/man/ssl.html.

The problem is, for the function to be available at runtime, you need to develop
a tiny plugin and deploy it.
--
MK

Staff Software Engineer, Pivotal/RabbitMQ


Michael Klishin

unread,
Jun 11, 2015, 9:35:42 AM6/11/15
to rabbitm...@googlegroups.com, Srikanth P Vasist
 On 11 June 2015 at 16:25:19, Michael Klishin (mkli...@pivotal.io) wrote:
> You can provide an Erlang function as one of the ssl_options:
> search for verify_fun on http://www.erlang.org/doc/man/ssl.html.
>
> The problem is, for the function to be available at runtime, you
> need to develop
> a tiny plugin and deploy it.

Actually, it may be possible to provide an inline function,
I haven't tried it in the RabbitMQ context. 

Srikanth P Vasist

unread,
Jun 11, 2015, 1:00:35 PM6/11/15
to rabbitm...@googlegroups.com, spva...@gmail.com
Hey Michael,
 Thank you so much for your quick response. 

I know it is too much to ask. I don't know Erlang. Could you please help with the method to fetch certificate's thumbprint and validate against a hardcoded one? I will try with inline first. If that doesn't work, then I will try build the plugin.

Thanks in advance!

Michael Klishin

unread,
Jun 11, 2015, 1:11:53 PM6/11/15
to rabbitm...@googlegroups.com, Srikanth P Vasist
On 11 June 2015 at 20:00:38, Srikanth P Vasist (spva...@gmail.com) wrote:
> I don't know Erlang. Could you please help with the method to
> fetch certificate's thumbprint and validate against a hardcoded
> one?

is thumbprint just another name for fingerprint? 

Michael Klishin

unread,
Jun 11, 2015, 1:22:18 PM6/11/15
to rabbitm...@googlegroups.com, Srikanth P Vasist
 On 11 June 2015 at 20:11:51, Michael Klishin (mkli...@pivotal.io) wrote:
> is thumbprint just another name for fingerprint?

or this .NET property? (which is a SHA1 hash of the encoded certificate [1])

https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.thumbprint%28v=vs.110%29.aspx

1. http://stackoverflow.com/questions/1270703/how-to-retrieve-compute-an-x509-certificates-thumbprint-in-java

Michael Klishin

unread,
Jun 11, 2015, 1:27:35 PM6/11/15
to spva...@gmail.com, rabbitm...@googlegroups.com
On 11 June 2015 at 20:24:02, spva...@gmail.com (spva...@gmail.com) wrote:
> Yes. It looks something like "A6 86 91 CE E2 … 66 66 5E 61"

Thanks, so it's what  openssl x509 -noout -fingerprint produces.

I'll take a look but no promises on the ETA.

Relevant Erlang modules:

http://www.erlang.org/doc/man/public_key.html
http://www.erlang.org/doc/apps/public_key/cert_records.html
http://www.erlang.org/doc/man/crypto.html (to calculate SHA-1)
Reply all
Reply to author
Forward
0 new messages