Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[💡 FEATURE REQUEST]: SSL Support for the AMQP driver. #1538

Closed
elythi0n opened this issue Apr 13, 2023 · 5 comments · Fixed by roadrunner-server/amqp#67
Closed

[💡 FEATURE REQUEST]: SSL Support for the AMQP driver. #1538

elythi0n opened this issue Apr 13, 2023 · 5 comments · Fixed by roadrunner-server/amqp#67
Assignees
@rustatian
Labels
C-feature-request Category: feature requested, but need to be discussed
Milestone
v2023.2.0

Comments

@elythi0n
Copy link

Plugin

JOBS

I have an idea!

The problem is that you can't connect to RabbitMQ that uses SSL (port 5671) with the current driver and I'm requesting support for it:

e.g.

Config:

ca_certicate       string `mapstructure:"ca_certicate"`
client_certificate string `mapstructure:"client_certificate"`
client_key         string `mapstructure:"client_key"`
server_name        string `mapstructure:"server_name"`

Connection:

import (
	"crypto/tls"
	"crypto/x509"
	"io/ioutil"
)

caCert, err := ioutil.ReadFile(conf.ca_certicate)
if err != nil {
	return nil, errors.E(op, err)
}

cert, err := tls.LoadX509KeyPair(conf.client_certificate, conf.client_key)
if err != nil {
	return nil, errors.E(op, err)
}

rootCAs := x509.NewCertPool()
rootCAs.AppendCertsFromPEM(caCert)

tlsConf := &tls.Config{
	RootCAs:      rootCAs,
	Certificates: []tls.Certificate{cert},
	ServerName:   conf.server_name, // Optional
}

jb.conn, err = amqp.DialTLS(
	fmt.Sprintf(conf.Addr),
	tlsConf,
)
if err != nil {
	return nil, errors.E(op, err)
}

And then in rr.yaml:

amqp:
  addr: amqps://guest:[email protected]:5671
  ca_certificate: # path to cert
  client_certificate: # path to cert
  client_key: # path to cert
  server_name: mydomain.com

This is just a rough example.
@elythi0n elythi0n added the C-feature-request Category: feature requested, but need to be discussed label Apr 13, 2023
@github-project-automation github-project-automation bot moved this to Backlog in General Apr 13, 2023
@rustatian
Copy link
Member

Hey @marcosraudkett 👋🏻
This is a good idea 👍🏻 We should also support mTLS, I think, but I'm not sure if rabbitMQ supports it.

I will move this FR to the v2023.2.0 milestone for now.

@rustatian rustatian moved this from Backlog to Todo in General Apr 13, 2023
@rustatian rustatian added this to the v2023.2.0 milestone Apr 13, 2023
@andrei-dascalu
Copy link

will there be an option to disable peer verification? Could be useful for self-signed certificates to prevent errors due to missing CA.

@rustatian
Copy link
Member

will there be an option to disable peer verification? Could be useful for self-signed certificates to prevent errors due to missing CA.

Are you referring to the mTLS, am I right? An option to disable mutual TSL.

@rustatian
Copy link
Member

If you're saying about this: https://www.rabbitmq.com/ssl.html#peer-verification-configuration, then yes, you'll be able to opt-out from the mTLS verification.

@rustatian rustatian mentioned this issue May 8, 2023
Merged
6 tasks
@rustatian
Copy link
Member

Feature is ready, will be next Thursday in the first beta release
image

Generally would be possible to verify peer (mTLS) as well as turn off that feature.

@github-project-automation github-project-automation bot moved this from Todo to Unreleased in General May 20, 2023
@rustatian rustatian mentioned this issue Jun 13, 2023
Closed
13 tasks
@rustatian rustatian mentioned this issue Jun 22, 2023
Merged
6 tasks
@rustatian rustatian moved this from Unreleased to Done in General Jul 6, 2023
@rustatian rustatian mentioned this issue Jul 6, 2023
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rustatian rustatian

Labels
C-feature-request Category: feature requested, but need to be discussed
Projects
No open projects
General
Status: Done
Milestone
v2023.2.0
Development

Successfully merging a pull request may close this issue.

feature: support TLS connection (amqps) roadrunner-server/amqp
3 participants
@rustatian @andrei-dascalu @elythi0n