A way to authenticate using an x509 certificate

[pawellrus]

Hello. It would be nice if users could authenticate in management plugin using certificate instead of standard login-password pair. Feature is needed in secure environments when using login/password is not enough to provide needed security level.

Last unsuccessful attempt of setting up this feature is described here. https://groups.google.com/forum/#!msg/rabbitmq-users/8bP02qvKDUk/lyZIhYVXAAAJ

[lukebakken]

Feature is needed in secure environments when using login/password is not enough to provide needed security level

That's not an accurate statement. The "workaround" I describe in that rabbitmq-users post is exactly as secure as using a client certificate for authentication, it just requires that a username and password be passed along with the certificate as the username is not extracted from the Subject: field of the x509 cert.

The password becomes superfluous in my workaround since the client is required to present an x509 certificate that the server verifies against its list of known, trusted CAs ({verify, verify_peer} setting).

Supporting client certificate authentication where the username is extracted from the Subject: field is a nice feature, but it won't be any more secure than what I have described.

[michaelklishin]

I don't buy into the "more secure" argument either. Use HTTPS and generated credentials (or OAuth 2/JWT tokens in 3.8.0) and you will be as secure as using x509 certificates: same encryption, MitM attack mitigation means, and credential generation options. The only difference is that the credentials won't be coming from the certificate. I'd argue that JWT tokens would be even more secure, at least they offer some additional protection against tampering and have an expiration date.

We already have a x509 certificate based authentication mechanism that covers all messaging protocols. It would be nice to extend it to the HTTP API but not so much for management UI. I think the biggest gain would be for WebSocket users.

So I'll leave this issue open as a reasonable request, even if it's not going to be particularly popular (most HTTP users love the fact that client certificates are not required, for example). @essen is there any prior art in the Cowboy land for x509 certificate authentication of HTTPS clients?

[essen]

Ranch has had the following tutorial for some time: https://ninenines.eu/docs/en/ranch/2.0/guide/ssl_auth/

It does not extract a username at all, it gets some unique information from the certificate which can be compared with the server's configuration or data. This allows each user to have a separate certificate if necessary.

It's not hard to implement on the server side at all, the only difficulty is figuring out how this should be configured.

[jordanfranssen]

Where my organization would like to see certificate-based authentication is for use with our smartcards. We would have the RabbitMQ Management Plugin only trust the CA of the certs on our smart cards, and then, when we go to the site, it would prompt us for the certificate which would, in turn, prompt us for our smart card's PIN. That way, we have two-factor authentication (I "have" the smart card and "know" the PIN) that is consistent with authentication mechanisms we use elsewhere.

I am using the SSL option that requires a client cert in the meantime, but what that lacks is a clear association between the cert being trusted and the account I am logging in as, so it does not quite meet our desired level of security. (It is still something I have and something I know, but I could "have" my smart card and "know" someone else's username and password.)

So, this is still something desired even if most would just use the workaround as I have or decide to forego the Management Plugin.