Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] config file questions 
Roger Light <roger@xxxxxxxxxx> writes:

>> The capath option does not seem to default to the system's openssl
>> configuration.  That seems unexpected.  It seems I need to set capath
>> separately for the server, for the server to use for validating bridges,
>> and for mosquitto_sub.  I expect all of these to default to the system's
>> openssl configuration, so that if e.g. I use letsencrypt, everything
>> will just work.  (I'm implicitly taking the position that validation of
>> mqtt and validation of https by wget, etc. should more or less be done
>> the same way.)
>
> I believe that TLS configuration for MQTT is a different situation
> than for HTTPS. It is much more likely that you will want to use
> client certificates on MQTT. If the system certificates were trusted
> by default, then all client certificates signed by those CAs could
> connect. As above, some better documentation about this and how to
> enable system certificates would be good.

So what I understand now, that I didn't before, is that mosquitto is
blurring authentication and authorization, in that an entity with a
client certificate (that establishes identity, according to pkix/x509),
is considered authorized, or perhaps rather is allowed to connect and
read/write in a way that matches acls that are written "any identified
user", with some common practice as treating "any identified user" as
having some level of privilege.

As opposed to the common practice in security theatre (not sure it's
comedy or tragedy :-), where having a driver's license (but not looking
up the person in databases) is considered adequate for something, even
though it proves "this is a human that someone somewhere issued an ID
to, and we don't actually know anything about whether they should be
authorized for anything in particular".  (Yes, I have once been through
a checkpoint where I had to show a driver's license, it was looked at to
verify that it had a picture that sort of matched and sort of looked
like a license, and *nothing else was verified at all or looked up*, and
this was apparently thought to lead to some sort of security property.)

Now, I realize what people probably do is spin up a CA just for their
MQTT world, and have the notion that "an entity has a client cert" is
equivalent to "this is an authorized MQTT entity in my setup".

Which means that capath probably should not be set at all in
mosquitto.conf unless one is doing this client cert scheme.

And, there is then the question of capath in mosquitto_pub/sub (and
other clients), where presumably the public CA list is a sensible
default since the server's use of a cert is much like a webserver's.
Except that people may want to configure only the CA they know is in
use, to achieve some sort of pinning, but I consider that advanced
rather than normal usage.

Back to the top