1 Authenticates the user, obtaining the username from the client's
2 SSL certificate. The user's password is not checked.
4 In order to use this mechanism the client must connect over SSL, and
5 present a client certificate.
7 For safety the server must be configured with the SSL options
8 fail_if_no_peer_cert set to true and verify set to verify_peer, to
9 force all SSL clients to have a verifiable client certificate.
11 By default this will set the username to an RFC4514-ish string form of
12 the certificate's subject's Distinguished Name, similar to that
13 produced by OpenSSL's "-nameopt RFC2253" option.
15 You can obtain this string form from a certificate with a command like:
17 $ openssl x509 -in path/to/cert.pem -nameopt RFC2253 -subject -noout
19 or from an existing amqps connection with commands like:
21 $ rabbitmqctl list_connections peer_cert_subject
23 To use the Common Name instead, set:
25 {rabbitmq_auth_mechanism_ssl, [{name_from, common_name}]}
27 in your configuration.
29 Note that the authenticated user will then be looked up in the
30 configured authentication / authorisation backend(s) - this will be
31 the mnesia-based user database by default, but could include other
32 backends if so configured.