TLS Peer Verification: Do not fail if client certificate does not contain expected value for extended key usage extension

[codegeass1]

TLS Peer Verification: Do not fail if client certificate does not contain expected value for extended key usage extension

In order to enable TLS Peer Verification, I have added to Rabbitmq config (apart from TLS encryption), this config to force rabbitmq to fail if client does not present a valid certificate signed by a trusted authority.

ssl_options.cacertfile = /path/to/ca_certificate.pem
ssl_options.certfile = /path/to/server_certificate.pem
ssl_options.keyfile = /path/to/server_key.pem

ssl_options.verify = verify_peer
ssl_options.depth  = 2
ssl_options.fail_if_no_peer_cert = true

On client side, I have added to configuration the usage a certificate when establishing connection to Rabbitmq. This certificate has on its extension 'Extended Key Usage' set to TLS Web Server Authentication.

I do have this error when client connects to Rabbitmq :

[notice] <0.979.0> TLS server: In state wait_cert at ssl_handshake.erl:2113 generated SERVER ALERT: Fatal - Handshake Failure
**[notice] <0.979.0> - {bad_cert,invalid_ext_key_usage}**

From what I understood, I have this error because the client presents a certificate with extension 'Extended Key Usage' set to TLS Web Server Authentication instead of TLS Web Client Authentication.

Set this restriction as an option

Is it possible to have an option that let us control this validation ? The main verification is that the presented certificate is signed by a trusted authority right ?

Alternative Solution

Option could be like: ssl_options.client.check_ext_key_usage=boolean

Additional context

(For some reason, my company does not deliver certificates with that value of extension.)

[michaelklishin]

RabbitMQ does not implement TLS. Erlang/OTP does. I believe how the extended key usage extensions are treated is covered by one of the PKI RFCs. It's not something that a TLS implementation can change because it would be convenient in some cases.