[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [mosquitto-dev] config file questions
|
On Thu, 4 Jul 2019 at 20:22, Greg Troxel <gdt@xxxxxxxxxx> wrote:
>
> Roger Light <roger@xxxxxxxxxx> writes:
>
> > I believe that TLS configuration for MQTT is a different situation
> > than for HTTPS. It is much more likely that you will want to use
> > client certificates on MQTT. If the system certificates were trusted
> > by default, then all client certificates signed by those CAs could
> > connect. As above, some better documentation about this and how to
> > enable system certificates would be good.
>
> So what I understand now, that I didn't before, is that mosquitto is
> blurring authentication and authorization, in that an entity with a
> client certificate (that establishes identity, according to pkix/x509),
> is considered authorized, or perhaps rather is allowed to connect and
> read/write in a way that matches acls that are written "any identified
> user", with some common practice as treating "any identified user" as
> having some level of privilege.
This is only partially correct. If you wish you may just rely on
client certificates, and there are options which allow you to have
parameters from the client certificates as username/client id, but
they are just options. You can equally have client certificates just
for allowing connection, then carry out authentication in the normal
way.
> Which means that capath probably should not be set at all in
> mosquitto.conf unless one is doing this client cert scheme.
This has been noted before, and I don't disagree but it is a breaking
change so I'm not going to change it for now.
Cheers,
Roger
