← Back to team overview

mosquitto-users team mailing list archive

Re: Recommended setup for supporting lots of external clients

 

Alfonso,

Exactly, no password file  needed. Mosquitto will accept any cert signed by
its the CA key and derive the uname from the CN.

I can't verify right now, but I'm pretty sure you can use different client
ids with the same cert and not disconnect each other. As far as I can
recall from the Mosquitto code those are separate. Roger? I'm sure you
would know. :)

The issue with using the same cert but different client ids is that you
can't revoke access from individual devices/sensors. It was fairly trivial
with PHP and openssl to generate individual certs, and since they're signed
by the CA key the server doesn't need to keep them, only revoked ones.

-Darren
 On Nov 26, 2013 7:32 PM, "Alfonso Pantoja" <alfonso.pantoja@xxxxxxxxx>
wrote:

> Darren,
>
> That's setup is very interesting.
>
> 1. I'm am not wrong then parameter "use_identity_as_username" should be
> set to "true" so the password file wouldn't be used.
> Also I suppose the device registration process would issue certs using the
> broker's CA cert.
>
> But how the registration process does relate "username" (in cert CN field)
> with a broker username? I meant if a generate a cert on my machine with
> CN=myusername and then I try to connect to the mosquitto server how the
> broker can check this is a valid user?
> Or it accepts all certs signed by its CA and get the CN as username and no
> coding is needed?
>
> 2. Good point.
>
> 3. In that scenario all devices will have different credentials but what
> would happend if several devices use the same cert?
>
>
>
> Alfonso
>
>
>
>
>
> 2013/11/27 Darren Clark <dclark@xxxxxxxxxxxxx>
>
>> Alfonso,
>>
>> I'd be interested to see other people's ideas, but here is how I set up
>> our system:
>>
>> 1. Configure the server to require client authentication with a
>> certificate, and to use the CN as the username.
>> 2. Configure the ACL such that clients are restricted to a device/%u/#
>> wildcard.
>> 3. Set up a registration system that will validate new devices and issue
>> certs on demand.
>>
>> Works well so far(fingers crossed)
>>
>> -Darren
>> On Nov 26, 2013 6:41 PM, "Alfonso Pantoja" <alfonso.pantoja@xxxxxxxxx>
>> wrote:
>>
>>> Hi,
>>>
>>> I've been reading the mosquitto documentation about security and I'm a
>>> bit confused about what would be the best setup for supporting a huge
>>> number of clients trying to keep the system as simple as possible.
>>>
>>> To be more specific imagine an scenario with a broker exposed to the
>>> internet which is being accessed by third party products/code (i.e: devices
>>> sending temperature data).
>>> Let's say that users of this system could have lots of devices and
>>> wanted to connect them to the broker.
>>>
>>> In a perfect (and secure) world all that clients should have different
>>> credentials but in reality this could be tricky because all devices should
>>> be configured one by one and all credentials remembered/stored.
>>>
>>> If I'm not wrong the documentation states that it is recommended to use
>>> different certificates for server, CA and clients so I suppose it is also
>>> problematic using only one user/password in all people's devices  or the
>>> same PSK, right?
>>>
>>> In order to balance security and simplicity I'm wondering if the best
>>> solution is to expose a broker to the internet and bridge it to a "private"
>>> broker but I'm still confused about what kind of security should be
>>> implemented in the "external broker".
>>>
>>> Any advice on this?
>>>
>>> Thanks in advance,
>>>
>>> Alfonso
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Mailing list: https://launchpad.net/~mosquitto-users
>>> Post to     : mosquitto-users@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~mosquitto-users
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>>
>

Follow ups

References