RabbitMQ CRL Configuration

crlerlangrabbitmq

I've been trying to find available options for configuring CRL checking within RabbitMQ. RabbitMQ in turn seems to rely on Erlang's SSL library. Unfortunately, knowing very little about Erlang, so it has been difficult for me to understand:

The exact syntax of an HTTP timeout-based CRL approach (and if this is automagically pulled from the cert's CRL info)
If a local-file based CRL approach is available out of the box

Examples of the crl_cache configuration option have been hard to find. Does anyone have further information on this?

Best Answer

Starting with the configuration example from the RabbitMQ TLS support page, add the crl_check and crl_cache options like this:

[
  {rabbit, [
     {ssl_listeners, [5671]},
     {ssl_options, [{cacertfile,"/path/to/testca/cacert.pem"},
                    {certfile,"/path/to/server/cert.pem"},
                    {keyfile,"/path/to/server/key.pem"},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,false}]},
                    {crl_check, true},
                    {crl_cache, {ssl_crl_cache, {internal, [{http, 5000}]}}}
   ]}
].

Setting crl_check to true means that CRLs will be checked for the entire certificate chain, and if any CRL is missing validation will fail. You could set it to peer or best_effort instead; see the Erlang ssl module documentation for details.

In the sample above, I activated downloading of CRLs by HTTP, with a timeout of 5 seconds (5000 milliseconds). The URL is taken from the cRLDistributionPoints extension in the certificate.

There is currently no local-file based CRL approach available out of the box, but I have submitted a pull request that lets you get CRLs from a local directory the same way Apache does it.

Best Answer

Related Solutions

Maximum Size of CRL

Microsoft CRL URL’s

Related Topic