Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] Client certificate expiration handling
Did you guys considered to use psk instead? I believe that if you change the psk of mosquitto, no other thing will be able to connect. 

And how are you managing new certs of the clients? OTA firmware update?

Best regards

Em qua., 20 de jan. de 2021 05:24, <user100@xxxxxxxxx> escreveu:
Hi Greg,

Thanks for reply. I did some tests with self-signed certificates and I can confirm that mosquitto doesn't know about certificate expiration if the certificate expires when the mosquitto is already running. Mosquitto must be restarted to load new certificates.   

Test Observations:

Test 1

Current time: 13:25

Cert expiration: 13:28

Start test at 13:25

Run publisher and receiver (mosquitto_sub -h 127.0.0.1 -t /test/abc --cafile server_faketime.crt -p 8883 -d).

Publisher is sending data for 5 minutes (up to 13:30) even if the cert is already expired. After 5 minutes the process ended.

Subscriber is receiving data for 5 minutes (up to 13:30) even if the cert is already expired. After 5 minutes process is waiting for another data.

After 5 minutes (at 13:30), it is not possible to tun publisher again. It fails with cert expiration error.


Test 2

Current time: 13:40

Cert expiration: 13:42

Start test at 13:40

This test is the same as the previous one but this time new cert with longer expiration (14:00) are generated at 13:44. So far, no mosquitto restart was done!

When publisher stops sending data it is not possible to run it again. Same for receiver.

13:45

Now the mosquitto is manually restarted.

It is possible to run publisher and receiver again.


BR,
CH
---------- Původní e-mail ----------
Od: Greg Troxel <gdt@xxxxxxxxxx>
Komu: user100@xxxxxxxxx
Datum: 15. 1. 2021 16:27:25
Předmět: Re: [mosquitto-dev] Client certificate expiration handling

<user100@xxxxxxxxx> writes:

> I'd like to ask how the certificates and its expiration is handled in 
> mosquitto.
>
> Does the mosquitto watch changes on certificate files defined in mosquitto.
> config?
>
> How are the cert files handled by mosquitto? Are they loaded to the memory
> at the start of mosquitto and the physical files are not considered any
> longer (until the mosquitto is restarted)?

That is my impression.

I find that when a cert is renewed, mosquitto must be restarted.

> What will happened to running client on 15/1/2000? Does he stop getting data
> (since he is using expired certs)?

It would arguably correct for the *client* to close the connection to
the server at the expiration of the cert used to authenticate it, but I
haven't seen this happen.

My experience is that mosquitto continues using the old cert, even if
the new one has been in the filesystem for weeks. Connections that are
open stay open, and new connections fail. Then I restart mosquitto and
all is ok.

> Do I need to restart mosquitto, so the new certificates are considered?

Please do the experiment and report your results.


It would be nice if mosquitto checked the cert file often enough for
this to work and re-read it. postfix seems to do this. Many other
programs do not.

Options could include:

stat certfile on every TLS negotiation

stat certfile hourly

something more complicated, like stat on TLS negotiation unless it was
checked within the last hour, but stat is pretty cheap
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev

Back to the top