Re: [mosquitto-dev] Accepting connection based on client's certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [mosquitto-dev] Accepting connection based on client's certificate

From: Jan Lukavský <je.ik@xxxxxxxxx>
Date: Wed, 30 Oct 2019 10:30:29 +0100
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/mosquitto-dev>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0

Hi Roger,

that is really helpful, thanks! I somehow missed that the signature ofthis method changed (it was not possible to obtain client certificatefrom there in earlier versions).


Cheers,

 Jan

On 10/29/19 7:56 PM, Roger Light wrote:

Hi Jan,

One way to approach this would be to have a plugin that does what you
have already described, but in the authentication check. Something
like:

int mosquitto_auth_unpwd_check(void *user_data, struct mosquitto
*client, const char *username, const char *password)
{
     X509 *cert;

     cert = mosquito_client_certificate(client);
     if(do_my_check(cert) == MOSQ_ERR_SUCCESS){
         return MOSQ_ERR_SUCCESS;
     }else{
         return MOSQ_ERR_AUTH;
     }
}

Cheers,

Roger

On Tue, 29 Oct 2019 at 10:33, Jan Lukavský <je.ik@xxxxxxxxx> wrote:

Hello,

I have a question about solving following situation:

   - I have a TLS enabled mosquitto server, which is configured to accept
only connections with client certificate signed by defined authority

   - suppose I have additional application logic, that can decide whether
certificate should be granted access, although it seems to be otherwise
valid

   - I cannot use OCSP stapling (let's just suppose that)

I have successfully solved this by adding a "hook" to the
src/handle_connect.c - a configurable executable that receives
certificate can be run and return zero (success) or non-zero (deny access).

The question now is - would this solution be acceptable upstream? Is
there better solution (one that comes in mind is maybe extend auth
plugin somehow)? I see the fact that a subprocess is forked on each
incoming connection as only a minor performance issue given that it
gives (a little) additional security in that if the "plugin" crashes for
whatever reason then it affects only the incoming connection and not the
server as a whole.

Thanks for any comments,

   Jan

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/mosquitto-dev

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/mosquitto-dev

Follow-Ups:
- Re: [mosquitto-dev] Accepting connection based on client's certificate
  - From: Jan Lukavský

References:
- [mosquitto-dev] Accepting connection based on client's certificate
  - From: Jan Lukavský
- Re: [mosquitto-dev] Accepting connection based on client's certificate
  - From: Roger Light

Prev by Date: Re: [mosquitto-dev] Accepting connection based on client's certificate
Next by Date: Re: [mosquitto-dev] Accepting connection based on client's certificate
Previous by thread: Re: [mosquitto-dev] Accepting connection based on client's certificate
Next by thread: Re: [mosquitto-dev] Accepting connection based on client's certificate
Index(es):
- Date
- Thread

Breadcrumbs