x509 (TLS/SSL) certificate Authentication Mechanism for RabbitMQ
This repository has been moved to the main unified RabbitMQ "monorepo", including all open issues. You can find the source under /deps/rabbitmq_auth_mechanism_ssl. All issues have been transferred.
This plugin allows RabbitMQ clients authenticate using x509 certificates and TLS (PKI) peer verification mechanism instead of credentials (username/password pairs).
How it Works
When a client connects and performs TLS upgrade, the username is obtained from the client's TLS (x509) certificate. The user's password is not checked.
In order to use this mechanism the client must connect with TLS enabled, and present a client certificate.
A couple of examples:
auth_mechanisms.1 = PLAIN auth_mechanisms.1 = AMQPLAIN auth_mechanisms.1 = EXTERNAL
to allow this mechanism in addition to the defaults, or:
auth_mechanisms.1 = EXTERNAL
to allow only this mechanism and prohibit connections that use username and passwords.
For safety the server must be configured with the SSL option 'verify' set to 'verify_peer', to ensure that if an SSL client presents a certificate, it gets verified.
Username Extraction from Certificate
You can obtain this string form from a certificate with a command like:
openssl x509 -in path/to/cert.pem -nameopt RFC2253 -subject -noout
or from an existing amqps connection with commands like:
rabbitmqctl list_connections peer_cert_subject
To use the Common Name instead, set
auth_mechanisms.1 = EXTERNAL ssl_cert_login_from = common_name
Note that the authenticated user will then be looked up in the configured authentication / authorisation backend(s). This will be the internal node database by default but could include other backends if so configured.
Copyright & License
(c) 2007-2020 VMware, Inc. or its affiliates.
Released under the same license as RabbitMQ.