Custom hostname for TLS peer verification

21 views
Skip to first unread message

Yuri Samoilenko

unread,
Dec 19, 2019, 5:10:29 PM12/19/19
to Ruby RabbitMQ libraries

Hi.

Bunny::Transport with TLS enabled using the same host for verification as which it connects:

@socket.post_connection_check(host) if @verify_peer

I our case we use static common name when generating RabbitMq certificate like mq, but often this is not resolvable hostname and we need t connect to bare IP in internal network.

So we need to be able to provide custom peer name to bunny for tls verification:

bunny = Bunny.new({
   hostname: '172.22.22.22',
   tls: true,
   options[:tls_cert] ||= 'config/keys/cert.pem',
   options[:tls_key]  ||= 'config/keys/key.pem', 
   options[:tls_ca_certificates] ||= ['config/keys/cacert.pem'], # HERE "mq" in certificate attrs
   options[:verify_peer_name] = 'mq' # we need somthing like this
})

What you think about it?


This is not a common scenario but then again, the whole SAN/CN comparison verification doesn't offer much protection anyway, only peer certificate chain traversal does.

You can use Bunny::Session#configure_socket to configure any socket settings before Bunny::Session#start is used to initiate a connection.



Thank you for reply. 
But threre is no socker object before Bunny::Session#start call and exception after... So there is no way to hack Bunny::Transport SSL verification i think.


Michael Klishin

unread,
Dec 19, 2019, 5:45:44 PM12/19/19
to Ruby RabbitMQ libraries
I don't have much to add. Bunny::Session#configure_socket exists for cases like this. It is supposed to be used
on an instantiated connection which was not yet "started" with Bunny::Session#start. Use it to configure the socket however
you like.
Reply all
Reply to author
Forward
0 new messages