activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From adam <adam.suss...@gmail.com>
Subject Re: Different SSL Certificates for transportConnector vs networkConnector
Date Wed, 05 Jan 2011 09:58:56 GMT


The JAAS Authentication stuff only works if the SSL handshake completes,
which is not the case here.  A java client (say an ActiveMQ client
transport) will abort the SSL handshake when talking to a broker which is
using a CLIENT ssl certificate when it should be using a SERVER certificate. 
So you never even get to the JASS stuff.  Not sure what other language
libraries do, but it would be better to follow the conventions.

Using a server certificate as a client certificate in a networkTransport
breaks for similar reasons, but even if it would work, it kind of defeats
the security model (in our case we have certificates signed by third parties
but also certificates signed by internal CAs, and that is crucial to our
model).

So not sure what to do here.

But maybe there's another way to accomplish what we are trying to do. 
Basically, we need to restrict which brokers can peer with each other and we
want to prevent someone from instantiating their own broker and peering
(network of brokers) with our "locked down" brokers without permission.  Our
plan was to use SSL client certificates and the JASS authentication on the
signer name.  Is there another way?

-adam
-- 
View this message in context: http://activemq.2283324.n4.nabble.com/Different-SSL-Certificates-for-transportConnector-vs-networkConnector-tp3174842p3175149.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Mime
View raw message