← Back to team overview

mosquitto-users team mailing list archive

Re: Understanding how the mosquitto server uses SSL

 

Hi Brian,

I've been a bit busy with other things, I'll try and reply properly as
soon as I can.

Regards,

Roger


On Wed, Nov 20, 2013 at 1:44 PM, Brian Reinhold
<brianreinhold@xxxxxxxxxxxxxxxxxxx> wrote:
> (Sorry if this was sent twice; I think I had to join to post)
>
>
>
>
>
> To anyone who may understand how mosquitto implements TLS,
>
>
>
> Working on Windows 7:
>
>
>
> I have done a fair amount of work with TLS using many of the Java-based
> servers (and clients). Typically the setup is as follows when client
> authentication is NOT required:
>
> 1.       On the server side one provides the server with a keystore file
> containing the server’s private key and associated information such that one
> can generate the server’s x509 certificate from it.
>
> a.       The keystore is typically encoded in a format (like jks or bks) and
> locked with a password
>
> 2.       On the client side one has a truststore containing the server’s
> x509 certificate generated from the server’s private key
>
> a.       The truststore is likewise encoded in a format and locked with a
> password
>
> For a test case one often accepts a self-signed certificate in the
> truststore. In operation one typically requires that the certificate be
> signed by a CA whose self-signed certificate is in the truststore before
> placing that certificate in the truststore.
>
>
>
> Now if client authentication is required the following is typically added
>
> 1.       The server ALSO maintains a truststore that has trusted x509
> certificates of clients that it trusts.
>
> a.       The truststore is likewise encoded in a format and locked with a
> password
>
> 2.       The client must now have a keystore file containing the client’s
> private key and associated information such that one can generate the
> server’s x509 certificate from it
>
> a.       The keystore is likewise encoded in a format and locked with a
> password
>
>
>
> For testing a server and client being implemented by a single entity, all
> the x509 certificates are typically self-signed.
>
>
>
> The problem is that I do not see how to configure mosquitto to support the
> above scenario.
>
> 1.       There is no means to specify the encoding format of the keystore or
> truststore .
>
> 2.       There is no means to specify the password to access the keystore or
> truststore.
>
>
>
> I am not sure but it looks like mosquitto does not support the concept of a
> keystore and one must expose the server private key and server certificate
> as separate PEM files. For client authentication I am less sure. I see this
> text in the config file:
>
>
>
> “They both
>
> # define methods of accessing the PEM encoded Certificate
>
> # Authority certificates that have signed your server certificate
>
> # and that you wish to trust.
>
> # cafile defines the path to a file containing the CA certificates.”
>
>
>
> The statement “defines the path to a file containing the CA certificates”
> sounds like a standard truststore but the statement previous to it does not.
> If one is using self-signed certificates does mosquitto require its own
> certificate in its truststore (typically a server truststore is NOT needed
> unless one is requiring client authentication). Why does the server need to
> authenticate itself in any case? Given that can I place my client
> certificate in that same truststore?
>
>
>
> In my case mosquitto is working as a broker for another server that requires
> client authentication and keystores and truststores are established on both
> the server and client sides.  The protocol that the MQTT server is working
> under requires client authentication with the MQTT broker as well. The idea
> is to have the mosquitto broker point to at least the same truststore as the
> server; ideally the same keystore as well. Communication between the broker
> and the server is unsecure (they reside on the same machine). Would be even
> nicer if the broker (on the server side) were available as a library so it
> could be integrated into the server application!
>
>
>
> So in the end
>
> 1.       Does mosquitto support the concept of keystores?
>
> 2.       Does mosquitto support securing keystores with passwords?
>
> 3.       How does mosquitto support truststores? (It does not appear to be
> like the standard web browsers.)
>
>
>
> Clarification and/or any help is greatly appreciated!!!
>
>
>
>
>
> Brian Reinhold
>
>     LNI
>
>     tel 603 868 8411 x207
>
>     brianreinhold@xxxxxxxxxxxxxxxxxxx
>
>
>
>
> --
> Mailing list: https://launchpad.net/~mosquitto-users
> Post to     : mosquitto-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~mosquitto-users
> More help   : https://help.launchpad.net/ListHelp
>


Follow ups

References