Re: [mosquitto-dev] Client certificate expiration handling

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [mosquitto-dev] Client certificate expiration handling

From: Greg Troxel <gdt@xxxxxxxxxx>
Date: Wed, 20 Jan 2021 10:14:41 -0500
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/mosquitto-dev/>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>
Openpgp: id=098ED60E
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (berkeley-unix)

<user100@xxxxxxxxx> writes:

> Thanks for reply. I did some tests with self-signed certificates and I can 
> confirm that mosquitto doesn't know about certificate expiration if the 
> certificate expires when the mosquitto is already running. Mosquitto must be
> restarted to load new certificates.   

Your experiment results are consistent with mine.

Strictly, I don't think the restart or HUP is about expiration.  It's
more "read the cert file of the disk".  It's just that impending
expiration is the usual reason that changes.

I gather from other comments that sending a SIGHUP will cause it to
recheck and use the new cert.  This is not really addressed in the man
page, but given that it documents that the entire config is reloaded
that makes sense.

> Test Observations:
>
> Test 1
>
> Current time: 13:25
>
> Cert expiration: 13:28
>
> Start test at 13:25
>
> Run publisher and receiver (mosquitto_sub -h 127.0.0.1 -t /test/abc --cafile
> server_faketime.crt -p 8883 -d).
>
> Publisher is sending data for 5 minutes (up to 13:30) even if the cert is 
> already expired. After 5 minutes the process ended.
>
> Subscriber is receiving data for 5 minutes (up to 13:30) even if the cert is
> already expired. After 5 minutes process is waiting for another data.
>
> After 5 minutes (at 13:30), it is not possible to tun publisher again. It 
> fails with cert expiration error.

Matches my experience (with weewx, Home Assistant, ESP8266), but mine is
not a controlled experiment.

> Test 2
>
> Current time: 13:40
>
> Cert expiration: 13:42
>
> Start test at 13:40
>
> This test is the same as the previous one but this time new cert with longer
> expiration (14:00) are generated at 13:44. So far, no mosquitto restart was 
> done!
>
> When publisher stops sending data it is not possible to run it again. Same 
> for receiver.
>
> 13:45

> Now the mosquitto is manually restarted.
>
> It is possible to run publisher and receiver again.

Sounds like the same result as Test 1.

I filed

https://github.com/eclipse/mosquitto/issues/2037
https://github.com/eclipse/mosquitto/issues/2038

about this.

Attachment: signature.asc
Description: PGP signature

References:
- [mosquitto-dev] Client certificate expiration handling
  - From: user100
- Re: [mosquitto-dev] Client certificate expiration handling
  - From: Greg Troxel
- Re: [mosquitto-dev] Client certificate expiration handling
  - From: user100

Prev by Date: Re: [mosquitto-dev] Client certificate expiration handling
Next by Date: Re: [mosquitto-dev] Client certificate expiration handling
Previous by thread: Re: [mosquitto-dev] Client certificate expiration handling
Next by thread: Re: [mosquitto-dev] Client certificate expiration handling
Index(es):
- Date
- Thread

Breadcrumbs