3 files changed, 23 insertions, 14 deletions

diff --git a/src/rabbit_access_control.erl b/src/rabbit_access_control.erl
index 30bcc9f306..c15a4de9d2 100644
--- a/src/rabbit_access_control.erl
+++ b/src/rabbit_access_control.erl
@@ -109,14 +109,16 @@ user_pass_login(User, Pass) ->
     end.
 
 check_user_pass_login(Username, Pass) ->
+    Refused = {refused, io_lib:format("user '~s' - invalid credentials",
+                                      [Username])},
     case lookup_user(Username) of
         {ok, User} ->
             case check_password(Pass, User#user.password_hash) of
-                true -> {ok,      User};
-                _    -> {refused, Username}
+                true -> {ok, User};
+                _    -> Refused
             end;
         {error, not_found} ->
-            {refused, Username}
+            Refused
     end.
 
 internal_lookup_vhost_access(Username, VHostPath) ->
diff --git a/src/rabbit_auth_mechanism_external.erl b/src/rabbit_auth_mechanism_external.erl
index c0531bcca8..b21dd31366 100644
--- a/src/rabbit_auth_mechanism_external.erl
+++ b/src/rabbit_auth_mechanism_external.erl
@@ -62,27 +62,33 @@ init(Sock) ->
                    {ok, C} ->
                        CN = case rabbit_ssl:peer_cert_subject_item(
                                    C, ?'id-at-commonName') of
-                                not_found -> not_found;
+                                not_found -> {refused, "no CN found"};
                                 CN0       -> list_to_binary(CN0)
                             end,
                        case config_sane() of
                            true  -> CN;
-                           false -> not_found
+                           false -> {refused, "configuration unsafe"}
                        end;
                    {error, no_peercert} ->
-                       not_found;
+                       {refused, "no peer certificate"};
                    nossl ->
-                       not_found
+                       {refused, "not SSL connection"}
                end,
     #state{username = Username}.
 
 handle_response(_Response, #state{username = Username}) ->
     case Username of
-        not_found -> {refused, "CN not found"};
-        _         -> case rabbit_access_control:lookup_user(Username) of
-                         {ok, User}         -> {ok, User};
-                         {error, not_found} -> {refused, Username}
-                     end
+        {refused, _} = E ->
+            E;
+        _ ->
+            case rabbit_access_control:lookup_user(Username) of
+                {ok, User} ->
+                    {ok, User};
+                {error, not_found} ->
+                    %% This is not an information leak as we have to
+                    %% have validated a client cert to get this far.
+                    {refused, io_lib:format("user '~s' not found", [Username])}
+            end
     end.
 
 %%--------------------------------------------------------------------------
diff --git a/src/rabbit_reader.erl b/src/rabbit_reader.erl
index 57d82d80d6..bbecdbaaf8 100644
--- a/src/rabbit_reader.erl
+++ b/src/rabbit_reader.erl
@@ -868,9 +868,10 @@ auth_phase(Response,
                            #connection{protocol = Protocol},
                        sock = Sock}) ->
     case AuthMechanism:handle_response(Response, AuthState) of
-        {refused, Username} ->
+        {refused, Reason} ->
             rabbit_misc:protocol_error(
-              access_refused, "login refused for user '~s'", [Username]);
+              access_refused, "~s login refused: ~s",
+              [proplists:get_value(name, AuthMechanism:description()), Reason]);
         {protocol_error, Msg, Args} ->
             rabbit_misc:protocol_error(access_refused, Msg, Args);
         {challenge, Challenge, AuthState1} ->