Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[馃挕 FEATURE REQUEST]: SSL Support for the AMQP driver. #1538

Closed
marcosraudkett opened this issue Apr 13, 2023 · 5 comments 路 Fixed by roadrunner-server/amqp#67
Closed

[馃挕 FEATURE REQUEST]: SSL Support for the AMQP driver. #1538

marcosraudkett opened this issue Apr 13, 2023 · 5 comments 路 Fixed by roadrunner-server/amqp#67
Assignees
@rustatian
Labels
C-feature-request Category: feature requested, but need to be discussed
Milestone
v2023.2.0

Comments

@marcosraudkett
Copy link

Plugin

JOBS

I have an idea!

The problem is that you can't connect to RabbitMQ that uses SSL (port 5671) with the current driver and I'm requesting support for it:

e.g.

Config:

ca_certicate       string `mapstructure:"ca_certicate"`
client_certificate string `mapstructure:"client_certificate"`
client_key         string `mapstructure:"client_key"`
server_name        string `mapstructure:"server_name"`

Connection:

import (
	"crypto/tls"
	"crypto/x509"
	"io/ioutil"
)

caCert, err := ioutil.ReadFile(conf.ca_certicate)
if err != nil {
	return nil, errors.E(op, err)
}

cert, err := tls.LoadX509KeyPair(conf.client_certificate, conf.client_key)
if err != nil {
	return nil, errors.E(op, err)
}

rootCAs := x509.NewCertPool()
rootCAs.AppendCertsFromPEM(caCert)

tlsConf := &tls.Config{
	RootCAs:      rootCAs,
	Certificates: []tls.Certificate{cert},
	ServerName:   conf.server_name, // Optional
}

jb.conn, err = amqp.DialTLS(
	fmt.Sprintf(conf.Addr),
	tlsConf,
)
if err != nil {
	return nil, errors.E(op, err)
}

And then in rr.yaml:

amqp:
  addr: amqps://guest:guest@mydomain.com:5671
  ca_certificate: # path to cert
  client_certificate: # path to cert
  client_key: # path to cert
  server_name: mydomain.com

This is just a rough example.
@marcosraudkett marcosraudkett added the C-feature-request Category: feature requested, but need to be discussed label Apr 13, 2023
@rustatian
Copy link
Member

Hey @marcosraudkett 馃憢馃徎
This is a good idea 馃憤馃徎 We should also support mTLS, I think, but I'm not sure if rabbitMQ supports it.

I will move this FR to the v2023.2.0 milestone for now.

@rustatian rustatian added this to the v2023.2.0 milestone Apr 13, 2023
@andrei-dascalu
Copy link

will there be an option to disable peer verification? Could be useful for self-signed certificates to prevent errors due to missing CA.

@rustatian
Copy link
Member

will there be an option to disable peer verification? Could be useful for self-signed certificates to prevent errors due to missing CA.

Are you referring to the mTLS, am I right? An option to disable mutual TSL.

@rustatian
Copy link
Member

If you're saying about this: https://www.rabbitmq.com/ssl.html#peer-verification-configuration, then yes, you'll be able to opt-out from the mTLS verification.

@rustatian rustatian mentioned this issue May 8, 2023
Merged
6 tasks
@rustatian
Copy link
Member

Feature is ready, will be next Thursday in the first beta release
image

Generally would be possible to verify peer (mTLS) as well as turn off that feature.

@rustatian rustatian mentioned this issue Jun 13, 2023
Closed
13 tasks
@rustatian rustatian mentioned this issue Jun 22, 2023
Merged
6 tasks
@rustatian rustatian mentioned this issue Jul 6, 2023
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rustatian rustatian

Labels
C-feature-request Category: feature requested, but need to be discussed
Projects
No open projects
General
Status: Done
Milestone
v2023.2.0
Development

Successfully merging a pull request may close this issue.

feature: support TLS connection (amqps) roadrunner-server/amqp
3 participants
@rustatian @andrei-dascalu @marcosraudkett