Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] Q: mosquitto broker TLS certificate based
Hi Ralf.

No, it is NOT required that the same CA is used to issue both the server (broker) cert and the client certs. This is a common simplification used when implementing TLS with mutual authentication. For example, Roger's own man page for TLS configuration assumes the use of a single CA. This is not unique to Mosquitto or MQTT. OpenVPN for example does the same.

In my experience, the use of a single CA in "getting started" documentation causes more harm than good. It creates confusion about what the CA cert actually represents. i.e. In their respective trust stores, the client needs to have a cert for the root CA of the server, and the server needs to have a cert for the root CA of the client. That's all there is to it.

Also, using a single CA is less secure than using two (or more, as every client could in theory have a cert issued by a different CA). In particular, if you use your server's CA to issue certs to multiple clients, then you are vulnerable to a Man-In-The-Middle attack. i.e. Any one client could decide to use the cert you gave them to impersonate your server, and all other clients would blindly trust it. (Unless of course the clients do some further certificate verification. Which again, they should, but most programmers don't bother.)

Regards,
Ben.


----------------------------------------------------------------------

Message: 1
Date: Tue, 31 Jan 2017 14:33:59 +0000
From: "Ackermann, Ralf" <ralf.ackermann@xxxxxxx>
To: "mosquitto-dev@xxxxxxxxxxx" <mosquitto-dev@xxxxxxxxxxx>
Subject: [mosquitto-dev] Q: mosquitto broker TLS certificate based
        client  authentication ?
Message-ID: <04F4D2A2-76C7-4D5B-9DC6-EA6D62EDB8C8@xxxxxxx>
Content-Type: text/plain; charset="utf-8"

Hello,

I'm trying to setup a mosquitto MQTT broker with both
                - TLS support and the chance for clients to verify broker authenticity based on a server certificate that is signed by a valid CA (e.g. Let's Encrypt certificate with DST Root CA X3 as root CA with the corresponding .pem to be used with the MQTT client. e.g. a client based on the Paho lib) - DONE
                -  additionally: client authentication based on TLS certificates

The question I have is the following:
                https://primalcortex.wordpress.com/2016/11/08/mqtt-mosquitto-broker-client-authentication-and-client-certificates/
states that: Using client certificates, signed by a certificate authority, assures the client identity. The certificate authority used must be the same used by the server certificates and is only supported over TLS/SSL.

Is this really a constraint to be met - or can mosquitto also be configured to work with client certificates that are signed by another CA (including potentially even a "non official certificate signer") than the one I mentioned for the broker authentication?

In addition: Is there somebody who has worked on such a setup and would be willing to share some experience?

best regards
  Ralf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dev.eclipse.org/mailman/private/mosquitto-dev/attachments/20170131/a1048b3c/attachment.html>



Back to the top