As per the following page about TLS support in RabbitMQ, a depth parameter is introduced some time back to support Certificate Chains and Verification using Depth.
The page says:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
When using a client certificate signed by an intermediate CA, it may be necessary to configure RabbitMQ server to use a higher verification depth.
The depth is the maximum number of non-self-issued intermediate certificates that may follow the peer certificate in a valid certification path. So if depth is 0 the peer (e.g. client) certificate must be signed by the trusted CA directly, if 1 the path can be "peer, CA, trusted CA", if it is 2 "peer, CA, CA, trusted CA", and so on. The default depth is 1. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
At our organization, due to the way the certs are created here, we need to use depth = 0 or 2. The default value 1 is not working for us. We use this community chef cookbook to install and maintain rabbitmq. But in the current version, there is no way to set this "depth" parameter. Though all other ssl parameters are present.
I am submitting this Pull Request to include the depth parameter in the SSL/TLS config section in the cookbook attributes and the rabbitmq config templates file.
Types of Changes
What types of changes does your code introduce to this project?
Put an x in the boxes that apply
[ ] Bug fix (non-breaking change which fixes issue #NNNN)
[x] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
[ ] Documentation (correction or otherwise)
[ ] Cosmetics (whitespace, appearance)
Checklist
Put an x in the boxes that apply. You can also fill these out after creating
the PR. If you're unsure about any of them, don't hesitate to ask on the
mailing list. We're here to help! This is simply a reminder of what we are
going to look for before merging your code.
[ ] I have added tests that prove my fix is effective or that my feature works
[ ] I have added necessary documentation (if appropriate)
[ ] Any dependent changes have been merged and published in related repositories
Further Comments
If this is a relatively large or complex change, kick off the discussion by
explaining why you chose the solution you did and what alternatives you
considered, etc.
@michaelklishin - I have created this new PR after closing the prior one #596 as I was having hard time restoring the metadata.rb file and adding back to the original PR. I hope this one looks fine.
Proposed Changes
As per the following page about TLS support in RabbitMQ, a depth parameter is introduced some time back to support Certificate Chains and Verification using Depth.
https://www.rabbitmq.com/ssl.html#peer-verification-depth
The page says: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ When using a client certificate signed by an intermediate CA, it may be necessary to configure RabbitMQ server to use a higher verification depth.
The depth is the maximum number of non-self-issued intermediate certificates that may follow the peer certificate in a valid certification path. So if depth is 0 the peer (e.g. client) certificate must be signed by the trusted CA directly, if 1 the path can be "peer, CA, trusted CA", if it is 2 "peer, CA, CA, trusted CA", and so on. The default depth is 1. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
At our organization, due to the way the certs are created here, we need to use depth = 0 or 2. The default value 1 is not working for us. We use this community chef cookbook to install and maintain rabbitmq. But in the current version, there is no way to set this "depth" parameter. Though all other ssl parameters are present.
I am submitting this Pull Request to include the depth parameter in the SSL/TLS config section in the cookbook attributes and the rabbitmq config templates file.
Types of Changes
What types of changes does your code introduce to this project? Put an
x
in the boxes that applyChecklist
Put an
x
in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask on the mailing list. We're here to help! This is simply a reminder of what we are going to look for before merging your code.CONTRIBUTING.md
documentFurther Comments
If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc.