[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] mosquitto with tls

mmm ... I dont think so ...

Using all-ca.crt (included on mosquitto source).
I can connect with my broker using mosquitto_pub/sub client without "insecure" flag using both ip and fqdn.

So ..I think if I can connect doing:
mosquitto_pub -h 1.1.1.1 -p 8888Â -t 'test'Â --cafile ./all-ca.crt

the -h flag is not used for the name.



On 02/08/18 13:02, Manuel DomÃnguez Dorado wrote:
Hi,

Sure, is the -h flag.

Regards

El jue., 2 de agosto de 2018 17:00, Leandro <ingrogger@xxxxxxxxx> escribiÃ:
Do you know where is server name especified on mosquitto_sub/pub client in order to match server name included on the certificate ?
Regards.
Leandro.


On 01/08/18 12:58, Manuel DomÃnguez Dorado wrote:
Are you going to connect to the broker via mosquitto_pub and mosquitto_sub? Or are you going to connect from java, C...?

El miÃ., 1 de agosto de 2018 15:36, Leandro <ingrogger@xxxxxxxxx> escribiÃ:
So ... it means that If I need to move to a new server , lets suppose for maintenance.
I only need to change the server name ( `hostname` ) and all should continue working?

Also:
"name in cert must match name used to connect"

Can you point those names for:
openssl commands while creating certs
mosquitto_sub client comand line flag while connecting.


btw , thanks for this ... you are helping me a lot.

Regards,
Leandro.



On 01/08/18 09:59, Manuel DomÃnguez Dorado wrote:
Great answer!!! Thanks.

El miÃ., 1 de agosto de 2018 14:25, Greg Troxel <gdt@xxxxxxxxxx> escribiÃ:

Manuel DomÃnguez Dorado <manolodd@xxxxxxxxx> writes:

> *"If you are using a cert issued by your own Certificate Authority, then
> you need to provide the CA certificate, so that mosquitto can verify that
> the server certificate is genuine"*
>
> Um... but this is true only if the hostname in the server certificate can
> be correctly resolved through the public DNS, isn't it?

The relevant standards (IETF PKIX) are very complicated, but the essence
is:

 program asks to connect to a name

 system might canonialize the name

 system translates that to an address and connects

 remote provides a certificate

 validation requires that the certifiate be reachable from a configured
 trust anchor (which more or less translates to "server cert's parent
 certificate (CA) is in the list of configured CAs"

 name in cert must match name used to connect


So no, you shouldn't need dns. ÂYou just have to make the names match.


_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev


_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev


_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev