Re: [mosquitto-dev] Accepting connection based on client's certificate

[Roger Light <roger@xxxxxxxxxx>]

Hi Jan,

One way to approach this would be to have a plugin that does what you
have already described, but in the authentication check. Something
like:

int mosquitto_auth_unpwd_check(void *user_data, struct mosquitto
*client, const char *username, const char *password)
{
    X509 *cert;

    cert = mosquito_client_certificate(client);
    if(do_my_check(cert) == MOSQ_ERR_SUCCESS){
        return MOSQ_ERR_SUCCESS;
    }else{
        return MOSQ_ERR_AUTH;
    }
}

Cheers,

Roger

On Tue, 29 Oct 2019 at 10:33, Jan Lukavský <je.ik@xxxxxxxxx> wrote:
>
> Hello,
>
> I have a question about solving following situation:
>
>   - I have a TLS enabled mosquitto server, which is configured to accept
> only connections with client certificate signed by defined authority
>
>   - suppose I have additional application logic, that can decide whether
> certificate should be granted access, although it seems to be otherwise
> valid
>
>   - I cannot use OCSP stapling (let's just suppose that)
>
> I have successfully solved this by adding a "hook" to the
> src/handle_connect.c - a configurable executable that receives
> certificate can be run and return zero (success) or non-zero (deny access).
>
> The question now is - would this solution be acceptable upstream? Is
> there better solution (one that comes in mind is maybe extend auth
> plugin somehow)? I see the fact that a subprocess is forked on each
> incoming connection as only a minor performance issue given that it
> gives (a little) additional security in that if the "plugin" crashes for
> whatever reason then it affects only the incoming connection and not the
> server as a whole.
>
> Thanks for any comments,
>
>   Jan
>
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/mosquitto-dev