Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] use full certificate subject as username?
Hi Fabian,

My apologies, I took a look at this and decided that it looked easy enough. I did think I'd replied to you already, but I can't see that reply.

I agree this is a useful feature and will be including it in version 1.5. It fits in well with the authentication review. If you wish to have your patch included, please follow the instructions on http://git.eclipse.org/c/mosquitto/org.eclipse.mosquitto.git/tree/CONTRIBUTING.md - probably the easiest thing for you to do is attach the patch to a bugzilla bug along with the appropriate sign-off.

I haven't had a look at your patch yet, it's a very busy time of year for me.

Cheers,

Roger


On Wed, Jun 3, 2015 at 10:50 AM, Ruff, Fabian <fabian@xxxxxxxxx> wrote:
Hi,

this is a follow-up to my question from a couple of weeks.
I’m still looking for a way to use the full x509 certificate subject line in an mosquitto auth plugin for making topic access decisions.
In the meantime I have created a patch for mosquitto master that adds a use_subject_as_username option as an alternative to use_identity_as_username.
The option yields RFC2253 formatted certificate subjects (e.g. 'CN=agent,OU=project1,O=org1’) as client usernames.
It is somewhat similar to the FakeBasicAuth ssl option from the Apache http server.
I find this option very useful and want to know if this is something that could be added to mosquitto mainline?
The patch is attached. I’m by no means a c-export so please excuse any memory leaks or other blatant mistakes.

Kind regards,
Fabian



> On 24 Apr 2015, at 16:10, Ruff, Fabian <fabian@xxxxxxxxx> wrote:
>
> Hi,
>
> I’m looking into leveraging tis as much as possible for solving the authentication and authorization problem in my mqtt architecture.
> Currently the use_identity_as_username option only uses the common name from the certificate as the username.
> For authorization purposes other parts of the certificates distinguished name could be helpful as well (e.g. organization, organizational unit...)
>
> Would it maybe feasible to introduce a complementary configuration option like use_subject_as_username?
> That way an auth plugin could then make the access control decision based on the full certificate subject.
>
> Just wanted to check if somebody else might think this could be useful.
>
>
> Cheers,
> Fabian
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://dev.eclipse.org/mailman/listinfo/mosquitto-dev


_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

Back to the top