| Re: [mosquitto-dev] Mosquitto supports TPM 2.0 on Windows? |
|
Hi Roger,
Thanks a lot for your reply. No worries, please feel free to advice if anyone else could be the best person to discuss the TPM support on Windows. Ben from the mailing list also offered some advice, so I'll spend sometime on that. Otherwise, have a great
weekend!
Thanks and Regards,
Terry
From: mosquitto-dev <mosquitto-dev-bounces@xxxxxxxxxxx> on behalf of Roger Light <roger@xxxxxxxxxx>
Sent: Saturday, August 13, 2022 3:01 AM To: General development discussions for the mosquitto project <mosquitto-dev@xxxxxxxxxxx> Subject: Re: [mosquitto-dev] Mosquitto supports TPM 2.0 on Windows? Hi Terry,
Sorry for not replying earlier - this isn't an area I have a great deal of experience. I've been looking into it but don't think I can offer any solid advice. If you do get it all working, please let us know what you did. Regards, Roger On Thu, 11 Aug 2022 at 22:05, <terryatsnort@xxxxxxxxxxx> wrote: > > Dear the team, > > Just wondering if anyone could help on configuring Mosquitto to use Windows TPM? > > Thanks and Regards, > Terry > ________________________________ > From: mosquitto-dev <mosquitto-dev-bounces@xxxxxxxxxxx> on behalf of Didi Key <terryatsnort@xxxxxxxxxxx> > Sent: Monday, August 1, 2022 11:12 AM > To: mosquitto-dev@xxxxxxxxxxx <mosquitto-dev@xxxxxxxxxxx> > Subject: [mosquitto-dev] Mosquitto supports TPM 2.0 on Windows? > > Dear the team, > > G'day! > > Here I'd like your help to find out: > > if Mosquitto v2.0.14 supports using TPM as OpenSSL's engine on Windows, when TLS is required? > if yes, then how to configure the broker (for telling Mosquitto to load private key information from TPM instead of a local private key file)? > > I noticed that related change (of support TPM) was introduced in Aug 2018, by this commit: > > Author: Nicolás Pernas Maradei <nicopernas@xxxxxxxxx> > Author date: 4 years ago (12/08/2018 2:57:58 AM) > Committer: Roger A. Light <roger@xxxxxxxxxx> > Commit date: 3 years ago (27/02/2019 2:50:37 AM) > Commit hash: 20894fcbce661d50f77c49b132dedea4cdc1f5a0 > Parent: d5f039ec > > The change is to allow using the following options in configuration file to load private key (instead of reading a private key file on the disk) > > https://mosquitto.org/man/mosquitto-conf-5.html > keyfile file path > > Path to the PEM encoded server key. This option and certfile must be present to enable certificate based TLS encryption. > > The private key pointed to by this option will be reloaded when Mosquitto receives a SIGHUP signal. This can be used to load new keys prior to the existing ones expiring. > > require_certificate [ true | false ] > > By default an SSL/TLS enabled listener will operate in a similar fashion to a https enabled web server, in that the server has a certificate signed by a CA and the client will verify that it is a trusted certificate. The overall aim is encryption of the network traffic. By setting require_certificate to true, a client connecting to this listener must provide a valid certificate in order for the network connection to proceed. This allows access to the broker to be controlled outside of the mechanisms provided by MQTT. > > tls_engine engine > > A valid openssl engine id. These can be listed with openssl engine command. > > tls_engine_kpass_sha1 engine_kpass_sha1 > > SHA1 of the private key password when using an TLS engine. Some TLS engines such as the TPM engine may require the use of a password in order to be accessed. This option allows a hex encoded SHA1 hash of the password to the engine directly, instead of the user being prompted for the password. > > tls_keyform [ pem | engine ] > > Specifies the type of private key in use when making TLS connections.. This can be "pem" or "engine". This parameter is useful when a TPM module is being used and the private key has been created with it. Defaults to "pem", which means normal private key files are used. > > > Though, I couldn't find any detailed instructions on the internet (or in the mailinglist here); has anyone done similar setup on Windows using TPM? I'd like to understand more for the questions below: > > How to set OpenSSL engine to use TPM as its engine? > Do we need any 3rd party component to enable Mosquitto using TPM? > Like this one: https://github.com/tpm2-software/tpm2-openssl "Provider for integration of TPM 2.0 to OpenSSL 3.0" > But this supports OpenSSL v3.0 only > If everything works, then what should be specified for the "keyfile" option? > The source code indicates that we need to pass in this information, but what should it be when using TPM? > > https://github.com/eclipse/mosquitto/blob/master/src/net.c#L548 > > Any advice on this are really appreciated; or if not using TPM, how do you protect the private key file (as best practice) when using TLS? Thank you very much! > > Thanks and Regards, > Terry > _______________________________________________ > mosquitto-dev mailing list > mosquitto-dev@xxxxxxxxxxx > To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev _______________________________________________ mosquitto-dev mailing list mosquitto-dev@xxxxxxxxxxx To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev |