Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [paho-dev] MQTTClient_SSLOptions scenarios - Paho C Client

1) The Mosquitto server on m2m.eclipse.org does not have the TLS configuration needed to run these tests.    This directory:

http://git.eclipse.org/c/paho/org.eclipse.paho.mqtt.c.git/tree/test/ssl

has the configuration files needed.  

2) That return code looks like a bug, and we should return something more friendly.

3) Anonymous ciphers aren't very secure.  We used to run these tests against different MQTT servers, but as far as I remember, they made no sense against Mosquitto, or Roger made efforts to disallow them on the reasonable grounds of insecurity.  Either way, we decided that they were not important enough to re-enable.

Ian

On 08/24/2015 05:33 PM, Ben Kinsella wrote:
Following up on an earlier thread, I have tried running test3.c in order to understand the various SSL/TLS configuration scenarios.
With the default Options (i.e. testing against the m2m.eclipse.org broker) this is what I get:

Test Description Assertions Failures serverURI
1 connection to nonSSL MQTT server 2 0 options.connection
2a_s Mutual SSL authentication - single threaded client using receive 2 1 options.server_auth_connection
2a_m Mutual SSL authentication - multi-threaded client using callbacks 3 1 options.mutual_auth_connection
2b connection to SSL MQTT server with clientauth=req but server does not have client cert 2 0 options.nocert_mutual_auth_connection
2c connection to SSL MQTT server, server auth enabled but unknown cert 2 0 options.mutual_auth_connection
3a_s Server authentication - single threaded client using receive 2 1 options.server_auth_connection
3a_m Server authentication - multi-threaded client using callbacks 3 1 options.server_auth_connection
3b connection to SSL MQTT server with clientauth=opt but client does not have server cert 2 0 options.server_auth_connection
4_s accept invalid server certificates - single threaded 2 1 options.server_auth_connection
4_m accept invalid server certificates - multi-threaded 3 1 options.server_auth_connection
 
The failures are all on MQTTClient_connect().

Questions:
* On failure, the return code (rc) is always -120150824. What does this mean?

* Is the documentation out of sync with the code? Doxygen says MQTTClient_connect() error codes are 1,2,3,4,5, etc. MQTTClient.h has #define's for negative numbers (but nothing like -120150824)

* I noticed that test5a, 5b, 5c make use of options.anon_connection. But these are commented out in line 1526. Why?

Thanks,
Ben.


------------------------------

Message: 3
Date: Fri, 14 Aug 2015 05:14:08 -0500
From: Adam Scally <ascally@xxxxxxxxxxx>
To: General development discussions for paho project
        <paho-dev@xxxxxxxxxxx>
Subject: Re: [paho-dev] MQTTClient_SSLOptions scenarios - Paho C
        Client
Message-ID:
        <AF7218889FF2204DBF5C75F95B5EE26432AC5671EF@xxxxxxxxxxxxxxxxxxxxxxxxxxx>

Content-Type: text/plain; charset="us-ascii"

Thanks Al

-----Original Message-----
From: paho-dev-bounces@xxxxxxxxxxx [mailto:paho-dev-bounces@xxxxxxxxxxx] On Behalf Of Al S-M
Sent: 14 August 2015 10:12
To: paho-dev@xxxxxxxxxxx
Subject: Re: [paho-dev] MQTTClient_SSLOptions scenarios - Paho C Client

If you look at test/test3.c in the paho C client source code there are tests there that test all the scenarios you mention which you could use as examples.
http://git.eclipse.org/c/paho/org.eclipse.paho.mqtt.c.git/tree/test/test3.c

Al

On 14/08/15 10:05, Adam Scally wrote:
> Hi,
>
> Just a general question on the 3 different MQTTClient_SSLOptions
> scenarios which are explained on the paho C client page:
>
> /"//Server authentication: The client needs the digital certificate of
> the server. It is included in a store containting trusted material
> (also known as "trust store")./
>
> /Mutual authentication: Both client and server are authenticated
> during the SSL handshake. In addition to the digital certificate of
> the server in a trust store, the client will need its own digital
> certificate and the private key used to sign its digital certificate
> stored in a "key store"./
>
> /Anonymous connection: Both client and server do not get authenticated
> and no credentials are needed to establish an SSL connection. Note
> that this scenario is not fully secure since it is subject to
> man-in-the-middle attacks."/
>
> My application is now successfully supporting MQTT over TLS (thanks to
> this mailing list). My question is how do I test each scenario which
> is stated above?
>
> Am I right in saying:
>
> For server authentication: the trustStore parameter is set and
> enableServerCertAuth is true. The client Keystore and PrivateKey are
> not set?
>
> For Mutual authentication: the trustStore, Keystore, PrivateKey and
> PrivateKeyPassword parameters are set. The enableServerCertAuth is true.
>
> For Anonymous connection: the trustStore, Keystore, PrivateKey and
> PrivateKeyPassword parameters are not set. The enableServerCertAuth is
> false.
>
> Sorry for the long winded question I just want to fully understand
> exactly what I am setting for configuration purposes. Thank you.
>
> Best Regards,
>
> Adam
>
>
>
> _______________________________________________
> paho-dev mailing list
> paho-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or
> unsubscribe from this list, visit
> https://dev.eclipse.org/mailman/listinfo/paho-dev
>
_______________________________________________


_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/paho-dev

-- 
Ian Craggs                          
icraggs@xxxxxxxxxx                 IBM United Kingdom
Paho Project Lead; Committer on Mosquitto


Back to the top