mosquitto-users team mailing list archive

[Alfonso Pantoja <alfonso.pantoja@xxxxxxxxx>]

Ok, thanks Darren.
I will start playing around with it :)


Alfonso


2013/11/27 Darren Clark <dclark@xxxxxxxxxxxxx>

> Alfonso,
>
> Exactly, no password file  needed. Mosquitto will accept any cert signed
> by its the CA key and derive the uname from the CN.
>
> I can't verify right now, but I'm pretty sure you can use different client
> ids with the same cert and not disconnect each other. As far as I can
> recall from the Mosquitto code those are separate. Roger? I'm sure you
> would know. :)
>
> The issue with using the same cert but different client ids is that you
> can't revoke access from individual devices/sensors. It was fairly trivial
> with PHP and openssl to generate individual certs, and since they're signed
> by the CA key the server doesn't need to keep them, only revoked ones.
>
> -Darren
>  On Nov 26, 2013 7:32 PM, "Alfonso Pantoja" <alfonso.pantoja@xxxxxxxxx>
> wrote:
>
>> Darren,
>>
>> That's setup is very interesting.
>>
>> 1. I'm am not wrong then parameter "use_identity_as_username" should be
>> set to "true" so the password file wouldn't be used.
>> Also I suppose the device registration process would issue certs using
>> the broker's CA cert.
>>
>> But how the registration process does relate "username" (in cert CN
>> field) with a broker username? I meant if a generate a cert on my machine
>> with CN=myusername and then I try to connect to the mosquitto server how
>> the broker can check this is a valid user?
>> Or it accepts all certs signed by its CA and get the CN as username and
>> no coding is needed?
>>
>> 2. Good point.
>>
>> 3. In that scenario all devices will have different credentials but what
>> would happend if several devices use the same cert?
>>
>>
>>
>> Alfonso
>>
>>
>>
>>
>>
>> 2013/11/27 Darren Clark <dclark@xxxxxxxxxxxxx>
>>
>>> Alfonso,
>>>
>>> I'd be interested to see other people's ideas, but here is how I set up
>>> our system:
>>>
>>> 1. Configure the server to require client authentication with a
>>> certificate, and to use the CN as the username.
>>> 2. Configure the ACL such that clients are restricted to a device/%u/#
>>> wildcard.
>>> 3. Set up a registration system that will validate new devices and issue
>>> certs on demand.
>>>
>>> Works well so far(fingers crossed)
>>>
>>> -Darren
>>> On Nov 26, 2013 6:41 PM, "Alfonso Pantoja" <alfonso.pantoja@xxxxxxxxx>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I've been reading the mosquitto documentation about security and I'm a
>>>> bit confused about what would be the best setup for supporting a huge
>>>> number of clients trying to keep the system as simple as possible.
>>>>
>>>> To be more specific imagine an scenario with a broker exposed to the
>>>> internet which is being accessed by third party products/code (i.e: devices
>>>> sending temperature data).
>>>> Let's say that users of this system could have lots of devices and
>>>> wanted to connect them to the broker.
>>>>
>>>> In a perfect (and secure) world all that clients should have different
>>>> credentials but in reality this could be tricky because all devices should
>>>> be configured one by one and all credentials remembered/stored.
>>>>
>>>> If I'm not wrong the documentation states that it is recommended to use
>>>> different certificates for server, CA and clients so I suppose it is also
>>>> problematic using only one user/password in all people's devices  or the
>>>> same PSK, right?
>>>>
>>>> In order to balance security and simplicity I'm wondering if the best
>>>> solution is to expose a broker to the internet and bridge it to a "private"
>>>> broker but I'm still confused about what kind of security should be
>>>> implemented in the "external broker".
>>>>
>>>> Any advice on this?
>>>>
>>>> Thanks in advance,
>>>>
>>>> Alfonso
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Mailing list: https://launchpad.net/~mosquitto-users
>>>> Post to     : mosquitto-users@xxxxxxxxxxxxxxxxxxx
>>>> Unsubscribe : https://launchpad.net/~mosquitto-users
>>>> More help   : https://help.launchpad.net/ListHelp
>>>>
>>>>
>>