[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[mosquitto-dev] Accepting connection based on client's certificate
|
Hello,
I have a question about solving following situation:
- I have a TLS enabled mosquitto server, which is configured to accept
only connections with client certificate signed by defined authority
- suppose I have additional application logic, that can decide whether
certificate should be granted access, although it seems to be otherwise
valid
- I cannot use OCSP stapling (let's just suppose that)
I have successfully solved this by adding a "hook" to the
src/handle_connect.c - a configurable executable that receives
certificate can be run and return zero (success) or non-zero (deny access).
The question now is - would this solution be acceptable upstream? Is
there better solution (one that comes in mind is maybe extend auth
plugin somehow)? I see the fact that a subprocess is forked on each
incoming connection as only a minor performance issue given that it
gives (a little) additional security in that if the "plugin" crashes for
whatever reason then it affects only the incoming connection and not the
server as a whole.
Thanks for any comments,
Jan