+1 for that as well!
Jan
On 10/30/19 10:36 AM, Ben Kinsella
wrote:
The Common Name of the cert is used as the MQTT
username.
It would be great if Mosquitto also supported HAProxy.
Regards,
Ben.
Hi Jan,
One way to approach this would be to have a plugin that does
what you
have already described, but in the authentication check.
Something
like:
int mosquitto_auth_unpwd_check(void *user_data, struct
mosquitto
*client, const char *username, const char *password)
{
X509 *cert;
cert = mosquito_client_certificate(client);
if(do_my_check(cert) == MOSQ_ERR_SUCCESS){
return MOSQ_ERR_SUCCESS;
}else{
return MOSQ_ERR_AUTH;
}
}
Cheers,
Roger
On Tue, 29 Oct 2019 at 10:33, Jan Lukavský <je.ik@xxxxxxxxx> wrote:
>
> Hello,
>
> I have a question about solving following situation:
>
> - I have a TLS enabled mosquitto server, which is
configured to accept
> only connections with client certificate signed by
defined authority
>
> - suppose I have additional application logic, that
can decide whether
> certificate should be granted access, although it seems
to be otherwise
> valid
>
> - I cannot use OCSP stapling (let's just suppose
that)
>
> I have successfully solved this by adding a "hook" to
the
> src/handle_connect.c - a configurable executable that
receives
> certificate can be run and return zero (success) or
non-zero (deny access).
>
> The question now is - would this solution be acceptable
upstream? Is
> there better solution (one that comes in mind is maybe
extend auth
> plugin somehow)? I see the fact that a subprocess is
forked on each
> incoming connection as only a minor performance issue
given that it
> gives (a little) additional security in that if the
"plugin" crashes for
> whatever reason then it affects only the incoming
connection and not the
> server as a whole.
>
> Thanks for any comments,
>
> Jan
>
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your
password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/mosquitto-dev
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/mosquitto-dev
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/mosquitto-dev
|