How to disable peer verification at client side?

Question

How to disable peer verification at client side?

amitagarwal-dev opened this issue 2 years ago · comments

Hi,
I am trying to connect to a ssl enabled rabbitmq server and i am getting below error.

Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: 10.10.10.142 is not in the cert's list:

I know this error is coming because CN at server cert is different.
But how can i disable this check?
I tried passing rejectUnauthorized : false in the option to amqp.connect (URL,opt) but i am getting below error.

Error: `SASL mechanism PLAIN is not provided by the server`
    at onStart (/home/amit/Desktop/Server/PNB/FI_userauth/FI/node_modules/amqplib/lib/connection.js:204:12)

I guess my client is fallback to the PLAIN auth mechanism.

Any idea, how to resolve this?

Amit Agarwal commented 2 years ago

no

Amit Agarwal · Answer 1 · Fri Jul 15 2022 16:46:10 GMT+0800 (China Standard Time)

@cressie176 any idea?

Stephen Cresswell · Answer 2 · Fri Jul 15 2022 17:50:02 GMT+0800 (China Standard Time)

Hi @amitagarwal-dev,
Afraid I'm not likely to be able to look at this for at least a couple of weeks. Does #604 help?

Stephen Cresswell · Answer 3 · Wed Jul 27 2022 03:35:39 GMT+0800 (China Standard Time)

Hi @amitagarwal-dev,

I've created a repo testing out rejectUnauthorized here. When not present or true I get the ERR_TLS_CERT_ALTNAME_INVALID error the same as you. When false everything worked, but this was because my RabbitMQ server was configured to allow PLAIN authentication methods.

I updated the broker config to only allow EXTERNAL auth, and enabled the auth_mechanism_plugin and configured the socket options to use it. The broker refused the login because...

amqplib-696-my-rabbit-1  | 2022-07-26 19:08:51.389271+00:00 [error] <0.703.0> Error on AMQP connection <0.703.0> (172.18.0.1:61850 -> 172.18.0.2:5671, state: starting):
amqplib-696-my-rabbit-1  | 2022-07-26 19:08:51.389271+00:00 [error] <0.703.0> EXTERNAL login refused: user 'O=client,CN=smc-haven.local' - invalid credentials

At this point it's enough to be confident that amqplib is working correctly though. Providing your broker is configured with the EXTERNAL auth mechanism and can verify your client certificate I think things will work. If not, you'll need to reconfigure your broker or get legitimate certs since the client obviously can't tell the server not to verify them.

Stephen Cresswell · Answer 4 · Wed Jul 27 2022 03:39:41 GMT+0800 (China Standard Time)

I got the authentication working by adding the user via the management plugin...