The Common Name of the cert is used as the MQTT username.
It would be great if Mosquitto also supported HAProxy.
Regards,
Ben.
Hi Jan,
One way to approach this would be to have a plugin that does what you
have already described, but in the authentication check. Something
like:
int mosquitto_auth_unpwd_check(void *user_data, struct mosquitto
*client, const char *username, const char *password)
{
X509 *cert;
cert = mosquito_client_certificate(client);
if(do_my_check(cert) == MOSQ_ERR_SUCCESS){
return MOSQ_ERR_SUCCESS;
}else{
return MOSQ_ERR_AUTH;
}
}
Cheers,
Roger
On Tue, 29 Oct 2019 at 10:33, Jan Lukavský <je.ik@xxxxxxxxx> wrote:
>
> Hello,
>
> I have a question about solving following situation:
>
> - I have a TLS enabled mosquitto server, which is configured to accept
> only connections with client certificate signed by defined authority
>
> - suppose I have additional application logic, that can decide whether
> certificate should be granted access, although it seems to be otherwise
> valid
>
> - I cannot use OCSP stapling (let's just suppose that)
>
> I have successfully solved this by adding a "hook" to the
> src/handle_connect.c - a configurable executable that receives
> certificate can be run and return zero (success) or non-zero (deny access).
>
> The question now is - would this solution be acceptable upstream? Is
> there better solution (one that comes in mind is maybe extend auth
> plugin somehow)? I see the fact that a subprocess is forked on each
> incoming connection as only a minor performance issue given that it
> gives (a little) additional security in that if the "plugin" crashes for
> whatever reason then it affects only the incoming connection and not the
> server as a whole.
>
> Thanks for any comments,
>
> Jan
>
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/mosquitto-dev
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/mosquitto-dev