How to disable peer verification at client side?
amitagarwal-dev opened this issue · comments
Hi,
I am trying to connect to a ssl enabled rabbitmq server and i am getting below error.
Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: 10.10.10.142 is not in the cert's list:
I know this error is coming because CN at server cert is different.
But how can i disable this check?
I tried passing rejectUnauthorized : false
in the option to amqp.connect (URL,opt)
but i am getting below error.
Error: `SASL mechanism PLAIN is not provided by the server`
at onStart (/home/amit/Desktop/Server/PNB/FI_userauth/FI/node_modules/amqplib/lib/connection.js:204:12)
I guess my client is fallback to the PLAIN auth mechanism
.
Any idea, how to resolve this?
@cressie176 any idea?
Hi @amitagarwal-dev,
Afraid I'm not likely to be able to look at this for at least a couple of weeks. Does #604 help?
no
Hi @amitagarwal-dev,
I've created a repo testing out rejectUnauthorized
here. When not present or true I get the ERR_TLS_CERT_ALTNAME_INVALID
error the same as you. When false everything worked, but this was because my RabbitMQ server was configured to allow PLAIN authentication methods.
I updated the broker config to only allow EXTERNAL auth, and enabled the auth_mechanism_plugin and configured the socket options to use it. The broker refused the login because...
amqplib-696-my-rabbit-1 | 2022-07-26 19:08:51.389271+00:00 [error] <0.703.0> Error on AMQP connection <0.703.0> (172.18.0.1:61850 -> 172.18.0.2:5671, state: starting):
amqplib-696-my-rabbit-1 | 2022-07-26 19:08:51.389271+00:00 [error] <0.703.0> EXTERNAL login refused: user 'O=client,CN=smc-haven.local' - invalid credentials
At this point it's enough to be confident that amqplib is working correctly though. Providing your broker is configured with the EXTERNAL auth mechanism and can verify your client certificate I think things will work. If not, you'll need to reconfigure your broker or get legitimate certs since the client obviously can't tell the server not to verify them.