mosquitto-users team mailing list archive

[Alfonso Pantoja <alfonso.pantoja@xxxxxxxxx>]

Darren,

That's setup is very interesting.

1. I'm am not wrong then parameter "use_identity_as_username" should be set
to "true" so the password file wouldn't be used.
Also I suppose the device registration process would issue certs using the
broker's CA cert.

But how the registration process does relate "username" (in cert CN field)
with a broker username? I meant if a generate a cert on my machine with
CN=myusername and then I try to connect to the mosquitto server how the
broker can check this is a valid user?
Or it accepts all certs signed by its CA and get the CN as username and no
coding is needed?

2. Good point.

3. In that scenario all devices will have different credentials but what
would happend if several devices use the same cert?



Alfonso





2013/11/27 Darren Clark <dclark@xxxxxxxxxxxxx>

> Alfonso,
>
> I'd be interested to see other people's ideas, but here is how I set up
> our system:
>
> 1. Configure the server to require client authentication with a
> certificate, and to use the CN as the username.
> 2. Configure the ACL such that clients are restricted to a device/%u/#
> wildcard.
> 3. Set up a registration system that will validate new devices and issue
> certs on demand.
>
> Works well so far(fingers crossed)
>
> -Darren
> On Nov 26, 2013 6:41 PM, "Alfonso Pantoja" <alfonso.pantoja@xxxxxxxxx>
> wrote:
>
>> Hi,
>>
>> I've been reading the mosquitto documentation about security and I'm a
>> bit confused about what would be the best setup for supporting a huge
>> number of clients trying to keep the system as simple as possible.
>>
>> To be more specific imagine an scenario with a broker exposed to the
>> internet which is being accessed by third party products/code (i.e: devices
>> sending temperature data).
>> Let's say that users of this system could have lots of devices and wanted
>> to connect them to the broker.
>>
>> In a perfect (and secure) world all that clients should have different
>> credentials but in reality this could be tricky because all devices should
>> be configured one by one and all credentials remembered/stored.
>>
>> If I'm not wrong the documentation states that it is recommended to use
>> different certificates for server, CA and clients so I suppose it is also
>> problematic using only one user/password in all people's devices  or the
>> same PSK, right?
>>
>> In order to balance security and simplicity I'm wondering if the best
>> solution is to expose a broker to the internet and bridge it to a "private"
>> broker but I'm still confused about what kind of security should be
>> implemented in the "external broker".
>>
>> Any advice on this?
>>
>> Thanks in advance,
>>
>> Alfonso
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Mailing list: https://launchpad.net/~mosquitto-users
>> Post to     : mosquitto-users@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~mosquitto-users
>> More help   : https://help.launchpad.net/ListHelp
>>
>>