Support sending client certificates for remote verification over SSL/TLS

[ohookins]

I'm not sure if this is a limitation of Eventmachine so feel free to let me know if so, but currently there is no way to send the client certificate to the peer for verification when using an SSL connection.

You end up seeing something like this:

Apr  2 13:51:05 ubuntu stunnel: LOG5[21813:3073223488]: Service amqp-server accepted connection from 192.168.1.10:44798
Apr  2 13:51:05 ubuntu stunnel: LOG3[21813:3073223488]: SSL_accept: 140890C7: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Apr  2 13:51:05 ubuntu stunnel: LOG5[21813:3073223488]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

On a somewhat related note, if you enable :verify_peer: true in the SSL configuration hash, this also fails as amq-client does not implement the ssl_verify_peer() method that Eventmachine will call on the EventMachine::Connection class. This causes the ruby-amqp end to disconnect early right now, I guess because nothing is handling the verification.

[michaelklishin]

EventMachine probably supports this but the only way to know is by reading the source.

[ohookins]

@michaelklishin it doesn't appear to:
https://github.com/eventmachine/eventmachine/blob/master/lib/em/connection.rb#L406-L417

[ohookins]

Actually it does seem to work, if you put the client certificate first in the cert chain file.

Anyhoo, verify peer would still be nice. Is there a nice way of exposing this to the connection object or something else?

[michaelklishin]

Adding peer verification should be pretty straightforward, feel free to submit a pull request.