mosquitto-users team mailing list archive
-
mosquitto-users team
-
Mailing list archive
-
Message #00344
Re: Understanding how the mosquitto server uses SSL
Okay, would be much appreciated. Its mysterious to me!
Brian
-----Original Message-----
From: rogerlight@xxxxxxxxx [mailto:rogerlight@xxxxxxxxx] On Behalf Of Roger Light
Sent: Friday, November 22, 2013 4:15 AM
To: Brian Reinhold
Cc: mosquitto-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Mosquitto-users] Understanding how the mosquitto server uses SSL
Hi Brian,
I've been a bit busy with other things, I'll try and reply properly as soon as I can.
Regards,
Roger
On Wed, Nov 20, 2013 at 1:44 PM, Brian Reinhold <brianreinhold@xxxxxxxxxxxxxxxxxxx> wrote:
> (Sorry if this was sent twice; I think I had to join to post)
>
>
>
>
>
> To anyone who may understand how mosquitto implements TLS,
>
>
>
> Working on Windows 7:
>
>
>
> I have done a fair amount of work with TLS using many of the
> Java-based servers (and clients). Typically the setup is as follows
> when client authentication is NOT required:
>
> 1. On the server side one provides the server with a keystore file
> containing the server’s private key and associated information such
> that one can generate the server’s x509 certificate from it.
>
> a. The keystore is typically encoded in a format (like jks or bks) and
> locked with a password
>
> 2. On the client side one has a truststore containing the server’s
> x509 certificate generated from the server’s private key
>
> a. The truststore is likewise encoded in a format and locked with a
> password
>
> For a test case one often accepts a self-signed certificate in the
> truststore. In operation one typically requires that the certificate
> be signed by a CA whose self-signed certificate is in the truststore
> before placing that certificate in the truststore.
>
>
>
> Now if client authentication is required the following is typically
> added
>
> 1. The server ALSO maintains a truststore that has trusted x509
> certificates of clients that it trusts.
>
> a. The truststore is likewise encoded in a format and locked with a
> password
>
> 2. The client must now have a keystore file containing the client’s
> private key and associated information such that one can generate the
> server’s x509 certificate from it
>
> a. The keystore is likewise encoded in a format and locked with a
> password
>
>
>
> For testing a server and client being implemented by a single entity,
> all the x509 certificates are typically self-signed.
>
>
>
> The problem is that I do not see how to configure mosquitto to support
> the above scenario.
>
> 1. There is no means to specify the encoding format of the keystore or
> truststore .
>
> 2. There is no means to specify the password to access the keystore or
> truststore.
>
>
>
> I am not sure but it looks like mosquitto does not support the concept
> of a keystore and one must expose the server private key and server
> certificate as separate PEM files. For client authentication I am less
> sure. I see this text in the config file:
>
>
>
> “They both
>
> # define methods of accessing the PEM encoded Certificate
>
> # Authority certificates that have signed your server certificate
>
> # and that you wish to trust.
>
> # cafile defines the path to a file containing the CA certificates.”
>
>
>
> The statement “defines the path to a file containing the CA certificates”
> sounds like a standard truststore but the statement previous to it does not.
> If one is using self-signed certificates does mosquitto require its
> own certificate in its truststore (typically a server truststore is
> NOT needed unless one is requiring client authentication). Why does
> the server need to authenticate itself in any case? Given that can I
> place my client certificate in that same truststore?
>
>
>
> In my case mosquitto is working as a broker for another server that
> requires client authentication and keystores and truststores are
> established on both the server and client sides. The protocol that
> the MQTT server is working under requires client authentication with
> the MQTT broker as well. The idea is to have the mosquitto broker
> point to at least the same truststore as the server; ideally the same
> keystore as well. Communication between the broker and the server is
> unsecure (they reside on the same machine). Would be even nicer if the
> broker (on the server side) were available as a library so it could be integrated into the server application!
>
>
>
> So in the end
>
> 1. Does mosquitto support the concept of keystores?
>
> 2. Does mosquitto support securing keystores with passwords?
>
> 3. How does mosquitto support truststores? (It does not appear to be
> like the standard web browsers.)
>
>
>
> Clarification and/or any help is greatly appreciated!!!
>
>
>
>
>
> Brian Reinhold
>
> LNI
>
> tel 603 868 8411 x207
>
> brianreinhold@xxxxxxxxxxxxxxxxxxx
>
>
>
>
> --
> Mailing list: https://launchpad.net/~mosquitto-users
> Post to : mosquitto-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~mosquitto-users
> More help : https://help.launchpad.net/ListHelp
>
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4158 / Virus Database: 3629/6856 - Release Date: 11/21/13
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4158 / Virus Database: 3629/6856 - Release Date: 11/21/13
References
