mosquitto-users team mailing list archive

Thread
Date

Re: Understanding how the mosquitto server uses SSL

To: Brian Reinhold <brianreinhold@xxxxxxxxxxxxxxxxxxx>
From: Roger Light <roger@xxxxxxxxxx>
Date: Mon, 2 Dec 2013 23:24:03 +0000
Cc: "mosquitto-users@xxxxxxxxxxxxxxxxxxx" <mosquitto-users@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <004901ceefaf$cff5a2a0$6fe0e7e0$@lampreynetworks.com>
Sender: rogerlight@xxxxxxxxx

On Mon, Dec 2, 2013 at 10:42 PM, Brian Reinhold
<brianreinhold@xxxxxxxxxxxxxxxxxxx> wrote:
> Thanks Roger,
>
> That does help. It whittles down the possibilities.
>
> So if I have a private key for the server (now in a keystore in jks
> format encrypted by a password) and a self signed X509 certificate
> from the client in my truststore (also in a truststore in jks format
> encrypted with a password), how would I set this up for mosquito?
> I can export the private key from the keystore in PEM format and I
> can do the same for the public certificate in the truststore.

Yes, this would work.

> The two files are sufficient for mutually authenticated TLS.

I disagree. How can the client trust the server without first knowing
something about it? It can't have the private key of the server, so
based on those two files the client does not know anything about the
server in advance.

> Somehow I get the impression that I need a third certificate
> minimum to work with Mosquitto, for example the public certificate
> matching the server's private key. (All my 'public' certificates at this
> time are self-signed).

That is correct, the client needs to know who to trust. In normal TLS
situations this would be a CA certificate and anything signed by that
certificate or chain, but a self-signed certificate should also work.

> If I have these two files now in PEM format, how would I configure
> Mosquitto to use them?

Set keyfile to your private key, generate a certificate to go with the
private key and set that as certfile. Concatenate the self-signed
server certificate and client certificate and use the result with the
cafile option.

> Can they be in the same directory?

Yes.

> Do I have to generate a public certificate from the server's private
> key (I can easily generate a self-signed certificate)?

Yes.

> Can all public certificates be self-signed?

Self-signed should be no problem, but I don't tend to look at it
because using my own fake CA is easy and a more useful test. If it
doesn't work it needs fixing, but I'm sure it is fine.

Cheers,

Roger

Follow ups

Re: Understanding how the mosquitto server uses SSL
From: Brian Reinhold, 2013-12-02

References

Re: Understanding how the mosquitto server uses SSL
From: Brian Reinhold, 2013-11-20
Re: Understanding how the mosquitto server uses SSL
From: Roger Light, 2013-12-02
Re: Understanding how the mosquitto server uses SSL
From: Brian Reinhold, 2013-12-02