d0kuhn/mosquitto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Enable TLS with certfile+keyfile, not capath/cafile.

Browse Source
This commit is contained in:
Roger A. Light 2020-09-23 23:31:00 +01:00
parent 5371bd09d1
commit 54b9571516
6 changed files with 59 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog.txt
View File

@ -47,6 +47,8 @@ Broker:
functions, which can be used by plugins to disconnect clients.
- Add support for handling $CONTROL/ topics in plugins.
- Add support for PBKDF2-SHA512 password hashing.
- Enabling certificate based TLS encryption is now through certfile and
keyfile, not capath or cafile.
Client library:
- Client no longer generates random client ids for v3.1.1 clients, these are

36
man/mosquitto.conf.5.xml
View File

@ -46,7 +46,7 @@
<para>The simplest option is to have no authentication at all. This is
the default if no other options are given. Unauthenticated
encrypted support is provided by using the certificate based
SSL/TLS based options cafile/capath, certfile and keyfile.</para>
SSL/TLS based options certfile and keyfile.</para>
<para>MQTT provides username/password authentication as part of the
protocol. Use the password_file option to define the valid
usernames and passwords. Be sure to use network encryption if you
@ -674,7 +674,7 @@ log_timestamp_format %Y-%m-%dT%H:%M:%S
<varlistentry>
<term><option>memory_limit</option> <replaceable>limit</replaceable></term>
<listitem>
<para>
<para>
This option sets the maximum number of heap memory bytes that the broker
will allocate, and hence sets a hard limit on memory use by the broker.
Memory requests that exceed this value will be denied. The effect will
@ -1228,7 +1228,7 @@ log_timestamp_format %Y-%m-%dT%H:%M:%S
<varlistentry>
<term><option>websockets_headers_size</option> <replaceable>size</replaceable></term>
<listitem>
<para>Change the websockets headers size. This is a
<para>Change the websockets headers size. This is a
global option, it is not possible to set per
listener. This option sets the size of the buffer
used in the libwebsockets library when reading HTTP
@ -1249,33 +1249,35 @@ log_timestamp_format %Y-%m-%dT%H:%M:%S
<varlistentry>
<term><option>cafile</option> <replaceable>file path</replaceable></term>
<listitem>
<para>At least one of <option>cafile</option> or
<option>capath</option> must be provided to enable
SSL support.</para>
<para><option>cafile</option> is used to define the
path to a file containing the PEM encoded CA
certificates that are trusted.</para>
certificates that are trusted when checking incoming
client certificates.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>capath</option> <replaceable>directory path</replaceable></term>
<listitem>
<para>At least one of <option>cafile</option> or
<option>capath</option> must be provided to enable
SSL support.</para>
<para><option>capath</option> is used to define a
directory that contains PEM encoded CA certificates
that are trusted. For <option>capath</option> to
that are trusted when checking incoming client
certificates. For <option>capath</option> to
work correctly, the certificates files must have
".pem" as the file ending and you must run
"openssl rehash &lt;path to capath&gt;" each time you
add/remove a certificate.</para>
"openssl rehash &lt;path to capath&gt;" each time
you add/remove a certificate.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>certfile</option> <replaceable>file path</replaceable></term>
<listitem>
<para>Path to the PEM encoded server certificate.</para>
<para>
Path to the PEM encoded server certificate. This
option and <option>keyfile</option> must be present
to enable certificate based TLS encryption.
</para>
</listitem>
</varlistentry>
<varlistentry>
@ -1312,7 +1314,11 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
<varlistentry>
<term><option>keyfile</option> <replaceable>file path</replaceable></term>
<listitem>
<para>Path to the PEM encoded keyfile.</para>
<para>
Path to the PEM encoded server key. This
option and <option>certfile</option> must be present
to enable certificate based TLS encryption.
</para>
</listitem>
</varlistentry>
<varlistentry>

26
mosquitto.conf
View File

@ -460,17 +460,8 @@
# support" section. Only one of certificate or PSK encryption support can be
# enabled for any listener.
# At least one of cafile or capath must be defined to enable certificate based
# TLS encryption. They both define methods of accessing the PEM encoded
# Certificate Authority certificates that have signed your server certificate
# and that you wish to trust.
# cafile defines the path to a file containing the CA certificates.
# capath defines a directory that will be searched for files
# containing the CA certificates. For capath to work correctly, the
# certificate files must have ".crt" as the file ending and you must run
# "openssl rehash <path to capath>" each time you add/remove a certificate.
#cafile
#capath
# Both of certfile and keyfile must be defined to enable certificate based
# TLS encryption.
# Path to the PEM encoded server certificate.
#certfile
@ -478,7 +469,6 @@
# Path to the PEM encoded keyfile.
#keyfile
# If you wish to control which encryption ciphers are used, use the ciphers
# option. The list of available ciphers can be optained using the "openssl
# ciphers" command and should be provided in the same format as the output of
@ -505,6 +495,18 @@
# outside of the mechanisms provided by MQTT.
#require_certificate false
# cafile and capath define methods of accessing the PEM encoded
# Certificate Authority certificates that will be considered trusted when
# checking incoming client certificates.
# cafile defines the path to a file containing the CA certificates.
# capath defines a directory that will be searched for files
# containing the CA certificates. For capath to work correctly, the
# certificate files must have ".crt" as the file ending and you must run
# "openssl rehash <path to capath>" each time you add/remove a certificate.
#cafile
#capath
# If require_certificate is true, you may set use_identity_as_username to true
# to use the CN value from the client certificate as a username. If this is
# true, the password_file option will not be used for this listener.

24
src/net.c
View File

@ -454,17 +454,19 @@ int net__tls_load_verify(struct mosquitto__listener *listener)
ENGINE *engine = NULL;
int rc;
rc = SSL_CTX_load_verify_locations(listener->ssl_ctx, listener->cafile, listener->capath);
if(rc == 0){
if(listener->cafile && listener->capath){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\" and capath \"%s\".", listener->cafile, listener->capath);
}else if(listener->cafile){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\".", listener->cafile);
}else{
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check capath \"%s\".", listener->capath);
if(listener->cafile || listener->capath){
rc = SSL_CTX_load_verify_locations(listener->ssl_ctx, listener->cafile, listener->capath);
if(rc == 0){
if(listener->cafile && listener->capath){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\" and capath \"%s\".", listener->cafile, listener->capath);
}else if(listener->cafile){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\".", listener->cafile);
}else{
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check capath \"%s\".", listener->capath);
}
net__print_ssl_error(NULL);
return 1;
}
net__print_ssl_error(NULL);
return 1;
}
if(listener->tls_engine){
#if !defined(OPENSSL_NO_ENGINE)
@ -761,7 +763,7 @@ int net__socket_listen(struct mosquitto__listener *listener)
/* We need to have at least one working socket. */
if(listener->sock_count > 0){
#ifdef WITH_TLS
if((listener->cafile || listener->capath) && listener->certfile && listener->keyfile){
if(listener->certfile && listener->keyfile){
if(net__tls_server_ctx(listener)){
return 1;
}

2
src/security_default.c
View File

@ -1051,7 +1051,7 @@ int mosquitto_security_apply_default(struct mosquitto_db *db)
#ifdef WITH_TLS
for(i=0; i<db->config->listener_count; i++){
listener = &db->config->listeners[i];
if(listener && listener->ssl_ctx && (listener->cafile || listener->capath) && listener->crlfile && listener->require_certificate){
if(listener && listener->ssl_ctx && listener->certfile && listener->keyfile && listener->crlfile && listener->require_certificate){
if(net__tls_server_ctx(listener)){
return 1;
}

8
test/unit/Makefile
View File

@ -24,6 +24,7 @@ TEST_OBJS = test.o \
utf8.o
LIB_OBJS = memory_mosq.o \
memory_public.o \
misc_mosq.o \
packet_datatypes.o \
property_mosq.o \
@ -38,6 +39,7 @@ BRIDGE_TOPIC_TEST_OBJS = \
BRIDGE_TOPIC_OBJS = \
bridge_topic.o \
memory_mosq.o \
memory_public.o \
util_topic.o \
PERSIST_READ_TEST_OBJS = \
@ -46,6 +48,7 @@ PERSIST_READ_TEST_OBJS = \
PERSIST_READ_OBJS = \
memory_mosq.o \
memory_public.o \
misc_mosq.o \
packet_datatypes.o \
persist_read.o \
@ -64,6 +67,7 @@ PERSIST_WRITE_TEST_OBJS = \
PERSIST_WRITE_OBJS = \
database.o \
memory_mosq.o \
memory_public.o \
misc_mosq.o \
packet_datatypes.o \
persist_read.o \
@ -85,6 +89,7 @@ SUBS_TEST_OBJS = \
SUBS_OBJS = \
database.o \
memory_mosq.o \
memory_public.o \
subs.o \
topic_tok.o
@ -117,6 +122,9 @@ database.o : ../../src/database.c
memory_mosq.o : ../../lib/memory_mosq.c
$(CROSS_COMPILE)$(CC) $(CPPFLAGS) $(CFLAGS) -c -o $@ $^
memory_public.o : ../../src/memory_public.c
$(CROSS_COMPILE)$(CC) $(CPPFLAGS) $(CFLAGS) -c -o $@ $^
misc_mosq.o : ../../lib/misc_mosq.c
$(CROSS_COMPILE)$(CC) $(CPPFLAGS) $(CFLAGS) -c -o $@ $^