[erlang-questions] SSL peer certificate verification - RabbitMQ

Bloom, Adam Adam.Bloom@REDACTED
Mon Jun 5 20:27:02 CEST 2017


Hoping that one of you knows some secrets you can impart in me to get SSL peer verification working from RabbitMQ. I’ve been digging through the source code of the underlying Erlang SSL library to no avail. In particular, I’m struggling to understand the depth setting. According to the docs (http://erlang.org/doc/man/ssl.html):

{depth, integer()}
Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly; if 1 the path can be PEER, CA, ROOT-CA; if 2 the path can be PEER, CA, CA, ROOT-CA, and so on. The default value is 1.

I have two certificates (client and server) signed by the same intermediate CA. I would like to restrict rabbitmq to only accept connections from this (and potentially one more) intermediate CA. My initial thought was to set depth to 0 and place the intermediate ca (followed by the root ca) in the CA cert file. If I do this, the client is unable to connect and the server logs the following error:
SSL: certify: ssl_handshake.erl:1627:Fatal error: handshake failure - {bad_cert,max_path_length_reached}.

If I change depth to 1, the connection works. Rabbitmq also allows a cert signed by another intermediate ca (same root) to connect, which is what I’d like to prevent. This follows from the ssl man page though.

Can someone please advise me on the proper use of the “depth” setting in the Erlang ssl library such that only certificates signed by the trusted intermediate are able to connect? Do I need to remove the root CA from the CA cert file and explore partial_chain handlers?

Here are my current ssl_options settings from rabbitmq:
{ssl_options, [
            {cacertfile, "/etc/rabbitmq/certs/cacert.pem"},
            {certfile, "/etc/rabbitmq/certs/cert.pem"},
            {keyfile, "/etc/rabbitmq/certs/key.pem"},
            {verify, verify_peer},
           {depth, 1},
            {fail_if_no_peer_cert, true},
            {versions, ['tlsv1.2']}


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20170605/eb292dd6/attachment.htm>

More information about the erlang-questions mailing list