Enable TLS with certfile+keyfile, not capath/cafile.
This commit is contained in:
parent
5371bd09d1
commit
54b9571516
@ -47,6 +47,8 @@ Broker:
|
||||
functions, which can be used by plugins to disconnect clients.
|
||||
- Add support for handling $CONTROL/ topics in plugins.
|
||||
- Add support for PBKDF2-SHA512 password hashing.
|
||||
- Enabling certificate based TLS encryption is now through certfile and
|
||||
keyfile, not capath or cafile.
|
||||
|
||||
Client library:
|
||||
- Client no longer generates random client ids for v3.1.1 clients, these are
|
||||
|
@ -46,7 +46,7 @@
|
||||
<para>The simplest option is to have no authentication at all. This is
|
||||
the default if no other options are given. Unauthenticated
|
||||
encrypted support is provided by using the certificate based
|
||||
SSL/TLS based options cafile/capath, certfile and keyfile.</para>
|
||||
SSL/TLS based options certfile and keyfile.</para>
|
||||
<para>MQTT provides username/password authentication as part of the
|
||||
protocol. Use the password_file option to define the valid
|
||||
usernames and passwords. Be sure to use network encryption if you
|
||||
@ -674,7 +674,7 @@ log_timestamp_format %Y-%m-%dT%H:%M:%S
|
||||
<varlistentry>
|
||||
<term><option>memory_limit</option> <replaceable>limit</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
<para>
|
||||
This option sets the maximum number of heap memory bytes that the broker
|
||||
will allocate, and hence sets a hard limit on memory use by the broker.
|
||||
Memory requests that exceed this value will be denied. The effect will
|
||||
@ -1228,7 +1228,7 @@ log_timestamp_format %Y-%m-%dT%H:%M:%S
|
||||
<varlistentry>
|
||||
<term><option>websockets_headers_size</option> <replaceable>size</replaceable></term>
|
||||
<listitem>
|
||||
<para>Change the websockets headers size. This is a
|
||||
<para>Change the websockets headers size. This is a
|
||||
global option, it is not possible to set per
|
||||
listener. This option sets the size of the buffer
|
||||
used in the libwebsockets library when reading HTTP
|
||||
@ -1249,33 +1249,35 @@ log_timestamp_format %Y-%m-%dT%H:%M:%S
|
||||
<varlistentry>
|
||||
<term><option>cafile</option> <replaceable>file path</replaceable></term>
|
||||
<listitem>
|
||||
<para>At least one of <option>cafile</option> or
|
||||
<option>capath</option> must be provided to enable
|
||||
SSL support.</para>
|
||||
<para><option>cafile</option> is used to define the
|
||||
path to a file containing the PEM encoded CA
|
||||
certificates that are trusted.</para>
|
||||
certificates that are trusted when checking incoming
|
||||
client certificates.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>capath</option> <replaceable>directory path</replaceable></term>
|
||||
<listitem>
|
||||
<para>At least one of <option>cafile</option> or
|
||||
<option>capath</option> must be provided to enable
|
||||
SSL support.</para>
|
||||
<para><option>capath</option> is used to define a
|
||||
directory that contains PEM encoded CA certificates
|
||||
that are trusted. For <option>capath</option> to
|
||||
that are trusted when checking incoming client
|
||||
certificates. For <option>capath</option> to
|
||||
work correctly, the certificates files must have
|
||||
".pem" as the file ending and you must run
|
||||
"openssl rehash <path to capath>" each time you
|
||||
add/remove a certificate.</para>
|
||||
"openssl rehash <path to capath>" each time
|
||||
you add/remove a certificate.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>certfile</option> <replaceable>file path</replaceable></term>
|
||||
<listitem>
|
||||
<para>Path to the PEM encoded server certificate.</para>
|
||||
<para>
|
||||
Path to the PEM encoded server certificate. This
|
||||
option and <option>keyfile</option> must be present
|
||||
to enable certificate based TLS encryption.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
@ -1312,7 +1314,11 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
|
||||
<varlistentry>
|
||||
<term><option>keyfile</option> <replaceable>file path</replaceable></term>
|
||||
<listitem>
|
||||
<para>Path to the PEM encoded keyfile.</para>
|
||||
<para>
|
||||
Path to the PEM encoded server key. This
|
||||
option and <option>certfile</option> must be present
|
||||
to enable certificate based TLS encryption.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
|
@ -460,17 +460,8 @@
|
||||
# support" section. Only one of certificate or PSK encryption support can be
|
||||
# enabled for any listener.
|
||||
|
||||
# At least one of cafile or capath must be defined to enable certificate based
|
||||
# TLS encryption. They both define methods of accessing the PEM encoded
|
||||
# Certificate Authority certificates that have signed your server certificate
|
||||
# and that you wish to trust.
|
||||
# cafile defines the path to a file containing the CA certificates.
|
||||
# capath defines a directory that will be searched for files
|
||||
# containing the CA certificates. For capath to work correctly, the
|
||||
# certificate files must have ".crt" as the file ending and you must run
|
||||
# "openssl rehash <path to capath>" each time you add/remove a certificate.
|
||||
#cafile
|
||||
#capath
|
||||
# Both of certfile and keyfile must be defined to enable certificate based
|
||||
# TLS encryption.
|
||||
|
||||
# Path to the PEM encoded server certificate.
|
||||
#certfile
|
||||
@ -478,7 +469,6 @@
|
||||
# Path to the PEM encoded keyfile.
|
||||
#keyfile
|
||||
|
||||
|
||||
# If you wish to control which encryption ciphers are used, use the ciphers
|
||||
# option. The list of available ciphers can be optained using the "openssl
|
||||
# ciphers" command and should be provided in the same format as the output of
|
||||
@ -505,6 +495,18 @@
|
||||
# outside of the mechanisms provided by MQTT.
|
||||
#require_certificate false
|
||||
|
||||
# cafile and capath define methods of accessing the PEM encoded
|
||||
# Certificate Authority certificates that will be considered trusted when
|
||||
# checking incoming client certificates.
|
||||
# cafile defines the path to a file containing the CA certificates.
|
||||
# capath defines a directory that will be searched for files
|
||||
# containing the CA certificates. For capath to work correctly, the
|
||||
# certificate files must have ".crt" as the file ending and you must run
|
||||
# "openssl rehash <path to capath>" each time you add/remove a certificate.
|
||||
#cafile
|
||||
#capath
|
||||
|
||||
|
||||
# If require_certificate is true, you may set use_identity_as_username to true
|
||||
# to use the CN value from the client certificate as a username. If this is
|
||||
# true, the password_file option will not be used for this listener.
|
||||
|
24
src/net.c
24
src/net.c
@ -454,17 +454,19 @@ int net__tls_load_verify(struct mosquitto__listener *listener)
|
||||
ENGINE *engine = NULL;
|
||||
int rc;
|
||||
|
||||
rc = SSL_CTX_load_verify_locations(listener->ssl_ctx, listener->cafile, listener->capath);
|
||||
if(rc == 0){
|
||||
if(listener->cafile && listener->capath){
|
||||
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\" and capath \"%s\".", listener->cafile, listener->capath);
|
||||
}else if(listener->cafile){
|
||||
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\".", listener->cafile);
|
||||
}else{
|
||||
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check capath \"%s\".", listener->capath);
|
||||
if(listener->cafile || listener->capath){
|
||||
rc = SSL_CTX_load_verify_locations(listener->ssl_ctx, listener->cafile, listener->capath);
|
||||
if(rc == 0){
|
||||
if(listener->cafile && listener->capath){
|
||||
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\" and capath \"%s\".", listener->cafile, listener->capath);
|
||||
}else if(listener->cafile){
|
||||
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\".", listener->cafile);
|
||||
}else{
|
||||
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check capath \"%s\".", listener->capath);
|
||||
}
|
||||
net__print_ssl_error(NULL);
|
||||
return 1;
|
||||
}
|
||||
net__print_ssl_error(NULL);
|
||||
return 1;
|
||||
}
|
||||
if(listener->tls_engine){
|
||||
#if !defined(OPENSSL_NO_ENGINE)
|
||||
@ -761,7 +763,7 @@ int net__socket_listen(struct mosquitto__listener *listener)
|
||||
/* We need to have at least one working socket. */
|
||||
if(listener->sock_count > 0){
|
||||
#ifdef WITH_TLS
|
||||
if((listener->cafile || listener->capath) && listener->certfile && listener->keyfile){
|
||||
if(listener->certfile && listener->keyfile){
|
||||
if(net__tls_server_ctx(listener)){
|
||||
return 1;
|
||||
}
|
||||
|
@ -1051,7 +1051,7 @@ int mosquitto_security_apply_default(struct mosquitto_db *db)
|
||||
#ifdef WITH_TLS
|
||||
for(i=0; i<db->config->listener_count; i++){
|
||||
listener = &db->config->listeners[i];
|
||||
if(listener && listener->ssl_ctx && (listener->cafile || listener->capath) && listener->crlfile && listener->require_certificate){
|
||||
if(listener && listener->ssl_ctx && listener->certfile && listener->keyfile && listener->crlfile && listener->require_certificate){
|
||||
if(net__tls_server_ctx(listener)){
|
||||
return 1;
|
||||
}
|
||||
|
@ -24,6 +24,7 @@ TEST_OBJS = test.o \
|
||||
utf8.o
|
||||
|
||||
LIB_OBJS = memory_mosq.o \
|
||||
memory_public.o \
|
||||
misc_mosq.o \
|
||||
packet_datatypes.o \
|
||||
property_mosq.o \
|
||||
@ -38,6 +39,7 @@ BRIDGE_TOPIC_TEST_OBJS = \
|
||||
BRIDGE_TOPIC_OBJS = \
|
||||
bridge_topic.o \
|
||||
memory_mosq.o \
|
||||
memory_public.o \
|
||||
util_topic.o \
|
||||
|
||||
PERSIST_READ_TEST_OBJS = \
|
||||
@ -46,6 +48,7 @@ PERSIST_READ_TEST_OBJS = \
|
||||
|
||||
PERSIST_READ_OBJS = \
|
||||
memory_mosq.o \
|
||||
memory_public.o \
|
||||
misc_mosq.o \
|
||||
packet_datatypes.o \
|
||||
persist_read.o \
|
||||
@ -64,6 +67,7 @@ PERSIST_WRITE_TEST_OBJS = \
|
||||
PERSIST_WRITE_OBJS = \
|
||||
database.o \
|
||||
memory_mosq.o \
|
||||
memory_public.o \
|
||||
misc_mosq.o \
|
||||
packet_datatypes.o \
|
||||
persist_read.o \
|
||||
@ -85,6 +89,7 @@ SUBS_TEST_OBJS = \
|
||||
SUBS_OBJS = \
|
||||
database.o \
|
||||
memory_mosq.o \
|
||||
memory_public.o \
|
||||
subs.o \
|
||||
topic_tok.o
|
||||
|
||||
@ -117,6 +122,9 @@ database.o : ../../src/database.c
|
||||
memory_mosq.o : ../../lib/memory_mosq.c
|
||||
$(CROSS_COMPILE)$(CC) $(CPPFLAGS) $(CFLAGS) -c -o $@ $^
|
||||
|
||||
memory_public.o : ../../src/memory_public.c
|
||||
$(CROSS_COMPILE)$(CC) $(CPPFLAGS) $(CFLAGS) -c -o $@ $^
|
||||
|
||||
misc_mosq.o : ../../lib/misc_mosq.c
|
||||
$(CROSS_COMPILE)$(CC) $(CPPFLAGS) $(CFLAGS) -c -o $@ $^
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user