Re: EXTERNAL authentication and peer certificates

Wed, 13 Apr 2011 11:05:59 -0700 

On 04/13/2011 06:59 PM, Jakub Scholz wrote:

Hi,

The Apache Qpid / Red Hat MRG broker supports the EXTERNAL client
authentication mechanism, where the SSL certificate should be used for
client authentication. The username is in such case taken from the
certificate subject. The certificates used for the authentication are
stored using Certificate Database tool (certutil). This databased
contains the server private key (which seems to be working fine) as
well as the certificates / public keys necessary to authenticate the
clients.
Not sure if I am correctly understanding, but you don't need to have the client certificates in the server database. You just need to have the server trust the CA that issued the client certificate.
The client certificate needs to be in the certificate database used by the client only. 

Does this address the question or am I misunderstanding?



The certificates used for client authentication can be loaded into the
database with different trust flags (valid peer, trusted peer, trusted
CA etc.). However, it seems that only the certificates with flag T
(trusted CA) can be used for authentication. If the certificates is
stored as peer, it seems to be ignored by the broker:

2011-03-27 17:14:16 error Error reading socket: Unable to find the
certificate or key necessary for authentication. [-12285]

Unfortunately, the flag "T" means that such certificate is trusted
Certification Authority and as such, it can sign other certificates
with different usernames in subject. These are then successfully
authenticated and logged in. Therefore, it does not really secure the
access to the broker.

How is the EXTERNAL authentication supposed to work? The documentation
describes mainly the PLAIN mechanism and eventually the
KERBEROS/GSSAPI mechanism. But it mentions the EXTERNAL mechanism only
on few occasions ...

Thanks&  Regards
Jakub Scholz

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:[email protected]




---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:[email protected]

Reply via email to