Re: [mosquitto-dev] Q: mosquitto broker TLS certificate based client aut

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [mosquitto-dev] Q: mosquitto broker TLS certificate based client authentication ?

From: Roger Light <roger@xxxxxxxxxx>
Date: Tue, 31 Jan 2017 22:01:52 +0000
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/mosquitto-dev>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>

Hi Ralf,

You can have multiple trusted CAs defined, so the letter of what you
are asking is possible - a server signed by one CA and client
certificates signed by another. The trouble is that at least at the
moment I don't think having the server certificate be signed and
trusted by one CA (letsencrypt) and your client certificates signed by
your own CA, but have them be kept separate, is possible. In other
words, I suspect that if you set it up like that then anyone with a
letsencrypt certificate could authenticate as a client.

This is clearly not ideal, I'll have to look into what would be
possible in this area. It will probably require extra configuration.

Cheers,

Roger


On Tue, Jan 31, 2017 at 2:33 PM, Ackermann, Ralf <ralf.ackermann@xxxxxxx> wrote:
> Hello,
>
>
>
> I'm trying to setup a mosquitto MQTT broker with both
>
>                 - TLS support and the chance for clients to verify broker
> authenticity based on a server certificate that is signed by a valid CA
> (e.g. Let's Encrypt certificate with DST Root CA X3 as root CA with the
> corresponding .pem to be used with the MQTT client. e.g. a client based on
> the Paho lib) - DONE
>
>                 -  additionally: client authentication based on TLS
> certificates
>
>
>
> The question I have is the following:
>
>
> https://primalcortex.wordpress.com/2016/11/08/mqtt-mosquitto-broker-client-authentication-and-client-certificates/
>
> states that: Using client certificates, signed by a certificate authority,
> assures the client identity. The certificate authority used must be the same
> used by the server certificates and is only supported over TLS/SSL.
>
>
>
> Is this really a constraint to be met - or can mosquitto also be configured
> to work with client certificates that are signed by another CA (including
> potentially even a "non official certificate signer") than the one I
> mentioned for the broker authentication?
>
>
>
> In addition: Is there somebody who has worked on such a setup and would be
> willing to share some experience?
>
>
>
> best regards
>
>   Ralf
>
>
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

References:
- [mosquitto-dev] Q: mosquitto broker TLS certificate based client authentication ?
  - From: Ackermann, Ralf

Prev by Date: Re: [mosquitto-dev] Client certificates for test.mosquitto.org
Next by Date: Re: [mosquitto-dev] Q: mosquitto broker TLS certificate based
Previous by thread: [mosquitto-dev] Q: mosquitto broker TLS certificate based client authentication ?
Next by thread: Re: [mosquitto-dev] Q: mosquitto broker TLS certificate based
Index(es):
- Date
- Thread

Breadcrumbs