mosquitto-users team mailing list archive
-
mosquitto-users team
-
Mailing list archive
-
Message #00342
Re: Understanding how the mosquitto server uses SSL
(Sorry if this was sent twice; I think I had to join to post)
To anyone who may understand how mosquitto implements TLS,
Working on Windows 7:
I have done a fair amount of work with TLS using many of the Java-based
servers (and clients). Typically the setup is as follows when client
authentication is NOT required:
1. On the server side one provides the server with a keystore file
containing the server's private key and associated information such that one
can generate the server's x509 certificate from it.
a. The keystore is typically encoded in a format (like jks or bks) and
locked with a password
2. On the client side one has a truststore containing the server's
x509 certificate generated from the server's private key
a. The truststore is likewise encoded in a format and locked with a
password
For a test case one often accepts a self-signed certificate in the
truststore. In operation one typically requires that the certificate be
signed by a CA whose self-signed certificate is in the truststore before
placing that certificate in the truststore.
Now if client authentication is required the following is typically added
1. The server ALSO maintains a truststore that has trusted x509
certificates of clients that it trusts.
a. The truststore is likewise encoded in a format and locked with a
password
2. The client must now have a keystore file containing the client's
private key and associated information such that one can generate the
server's x509 certificate from it
a. The keystore is likewise encoded in a format and locked with a
password
For testing a server and client being implemented by a single entity, all
the x509 certificates are typically self-signed.
The problem is that I do not see how to configure mosquitto to support the
above scenario.
1. There is no means to specify the encoding format of the keystore or
truststore .
2. There is no means to specify the password to access the keystore or
truststore.
I am not sure but it looks like mosquitto does not support the concept of a
keystore and one must expose the server private key and server certificate
as separate PEM files. For client authentication I am less sure. I see this
text in the config file:
"They both
# define methods of accessing the PEM encoded Certificate
# Authority certificates that have signed your server certificate
# and that you wish to trust.
# cafile defines the path to a file containing the CA certificates."
The statement "defines the path to a file containing the CA certificates"
sounds like a standard truststore but the statement previous to it does not.
If one is using self-signed certificates does mosquitto require its own
certificate in its truststore (typically a server truststore is NOT needed
unless one is requiring client authentication). Why does the server need to
authenticate itself in any case? Given that can I place my client
certificate in that same truststore?
In my case mosquitto is working as a broker for another server that requires
client authentication and keystores and truststores are established on both
the server and client sides. The protocol that the MQTT server is working
under requires client authentication with the MQTT broker as well. The idea
is to have the mosquitto broker point to at least the same truststore as the
server; ideally the same keystore as well. Communication between the broker
and the server is unsecure (they reside on the same machine). Would be even
nicer if the broker (on the server side) were available as a library so it
could be integrated into the server application!
So in the end
1. Does mosquitto support the concept of keystores?
2. Does mosquitto support securing keystores with passwords?
3. How does mosquitto support truststores? (It does not appear to be
like the standard web browsers.)
Clarification and/or any help is greatly appreciated!!!
Brian Reinhold
LNI
tel 603 868 8411 x207
brianreinhold@xxxxxxxxxxxxxxxxxxx
Follow ups
