d0kuhn/mosquitto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Enable TLS with certfile+keyfile, not capath/cafile.

Browse Source
This commit is contained in:
Roger A. Light 2020-09-23 23:31:00 +01:00
parent 5371bd09d1
commit 54b9571516
6 changed files with 59 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog.txt
View File

@ -47,6 +47,8 @@ Broker:
functions, which can be used by plugins to disconnect clients.
- Add support for handling $CONTROL/ topics in plugins.
- Add support for PBKDF2-SHA512 password hashing.
- Enabling certificate based TLS encryption is now through certfile and
keyfile, not capath or cafile.
Client library:
- Client no longer generates random client ids for v3.1.1 clients, these are

32
man/mosquitto.conf.5.xml
View File

@ -46,7 +46,7 @@
<para>The simplest option is to have no authentication at all. This is
the default if no other options are given. Unauthenticated
encrypted support is provided by using the certificate based
SSL/TLS based options cafile/capath, certfile and keyfile.</para>
SSL/TLS based options certfile and keyfile.</para>
<para>MQTT provides username/password authentication as part of the
protocol. Use the password_file option to define the valid
usernames and passwords. Be sure to use network encryption if you
@ -1249,33 +1249,35 @@ log_timestamp_format %Y-%m-%dT%H:%M:%S
<varlistentry>
<term><option>cafile</option> <replaceable>file path</replaceable></term>
<listitem>
<para>At least one of <option>cafile</option> or
<option>capath</option> must be provided to enable
SSL support.</para>
<para><option>cafile</option> is used to define the
path to a file containing the PEM encoded CA
certificates that are trusted.</para>
certificates that are trusted when checking incoming
client certificates.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>capath</option> <replaceable>directory path</replaceable></term>
<listitem>
<para>At least one of <option>cafile</option> or
<option>capath</option> must be provided to enable
SSL support.</para>
<para><option>capath</option> is used to define a
directory that contains PEM encoded CA certificates
that are trusted. For <option>capath</option> to
that are trusted when checking incoming client
certificates. For <option>capath</option> to
work correctly, the certificates files must have
".pem" as the file ending and you must run
"openssl rehash &lt;path to capath&gt;" each time you
add/remove a certificate.</para>
"openssl rehash &lt;path to capath&gt;" each time
you add/remove a certificate.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>certfile</option> <replaceable>file path</replaceable></term>
<listitem>
<para>Path to the PEM encoded server certificate.</para>
<para>
Path to the PEM encoded server certificate. This
option and <option>keyfile</option> must be present
to enable certificate based TLS encryption.
</para>
</listitem>
</varlistentry>
<varlistentry>
@ -1312,7 +1314,11 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
<varlistentry>
<term><option>keyfile</option> <replaceable>file path</replaceable></term>
<listitem>
<para>Path to the PEM encoded keyfile.</para>
<para>
Path to the PEM encoded server key. This
option and <option>certfile</option> must be present
to enable certificate based TLS encryption.
</para>
</listitem>
</varlistentry>
<varlistentry>

26
mosquitto.conf
View File

@ -460,17 +460,8 @@
# support" section. Only one of certificate or PSK encryption support can be
# enabled for any listener.
# At least one of cafile or capath must be defined to enable certificate based
# TLS encryption. They both define methods of accessing the PEM encoded
# Certificate Authority certificates that have signed your server certificate
# and that you wish to trust.
# cafile defines the path to a file containing the CA certificates.
# capath defines a directory that will be searched for files
# containing the CA certificates. For capath to work correctly, the
# certificate files must have ".crt" as the file ending and you must run
# "openssl rehash <path to capath>" each time you add/remove a certificate.
#cafile
#capath
# Both of certfile and keyfile must be defined to enable certificate based
# TLS encryption.
# Path to the PEM encoded server certificate.
#certfile
@ -478,7 +469,6 @@
# Path to the PEM encoded keyfile.
#keyfile
# If you wish to control which encryption ciphers are used, use the ciphers
# option. The list of available ciphers can be optained using the "openssl
# ciphers" command and should be provided in the same format as the output of
@ -505,6 +495,18 @@
# outside of the mechanisms provided by MQTT.
#require_certificate false
# cafile and capath define methods of accessing the PEM encoded
# Certificate Authority certificates that will be considered trusted when
# checking incoming client certificates.
# cafile defines the path to a file containing the CA certificates.
# capath defines a directory that will be searched for files
# containing the CA certificates. For capath to work correctly, the
# certificate files must have ".crt" as the file ending and you must run
# "openssl rehash <path to capath>" each time you add/remove a certificate.
#cafile
#capath
# If require_certificate is true, you may set use_identity_as_username to true
# to use the CN value from the client certificate as a username. If this is
# true, the password_file option will not be used for this listener.

4
src/net.c
View File

@ -454,6 +454,7 @@ int net__tls_load_verify(struct mosquitto__listener *listener)
ENGINE *engine = NULL;
int rc;
if(listener->cafile || listener->capath){
rc = SSL_CTX_load_verify_locations(listener->ssl_ctx, listener->cafile, listener->capath);
if(rc == 0){
if(listener->cafile && listener->capath){
@ -466,6 +467,7 @@ int net__tls_load_verify(struct mosquitto__listener *listener)
net__print_ssl_error(NULL);
return 1;
}
}
if(listener->tls_engine){
#if !defined(OPENSSL_NO_ENGINE)
engine = ENGINE_by_id(listener->tls_engine);
@ -761,7 +763,7 @@ int net__socket_listen(struct mosquitto__listener *listener)
/* We need to have at least one working socket. */
if(listener->sock_count > 0){
#ifdef WITH_TLS
if((listener->cafile || listener->capath) && listener->certfile && listener->keyfile){
if(listener->certfile && listener->keyfile){
if(net__tls_server_ctx(listener)){
return 1;
}

2
src/security_default.c
View File

@ -1051,7 +1051,7 @@ int mosquitto_security_apply_default(struct mosquitto_db *db)
#ifdef WITH_TLS
for(i=0; i<db->config->listener_count; i++){
listener = &db->config->listeners[i];
if(listener && listener->ssl_ctx && (listener->cafile || listener->capath) && listener->crlfile && listener->require_certificate){
if(listener && listener->ssl_ctx && listener->certfile && listener->keyfile && listener->crlfile && listener->require_certificate){
if(net__tls_server_ctx(listener)){
return 1;
}

8
test/unit/Makefile
View File

@ -24,6 +24,7 @@ TEST_OBJS = test.o \
utf8.o
LIB_OBJS = memory_mosq.o \
memory_public.o \
misc_mosq.o \
packet_datatypes.o \
property_mosq.o \
@ -38,6 +39,7 @@ BRIDGE_TOPIC_TEST_OBJS = \
BRIDGE_TOPIC_OBJS = \
bridge_topic.o \
memory_mosq.o \
memory_public.o \
util_topic.o \
PERSIST_READ_TEST_OBJS = \
@ -46,6 +48,7 @@ PERSIST_READ_TEST_OBJS = \
PERSIST_READ_OBJS = \
memory_mosq.o \
memory_public.o \
misc_mosq.o \
packet_datatypes.o \
persist_read.o \
@ -64,6 +67,7 @@ PERSIST_WRITE_TEST_OBJS = \
PERSIST_WRITE_OBJS = \
database.o \
memory_mosq.o \
memory_public.o \
misc_mosq.o \
packet_datatypes.o \
persist_read.o \
@ -85,6 +89,7 @@ SUBS_TEST_OBJS = \
SUBS_OBJS = \
database.o \
memory_mosq.o \
memory_public.o \
subs.o \
topic_tok.o
@ -117,6 +122,9 @@ database.o : ../../src/database.c
memory_mosq.o : ../../lib/memory_mosq.c
$(CROSS_COMPILE)$(CC) $(CPPFLAGS) $(CFLAGS) -c -o $@ $^
memory_public.o : ../../src/memory_public.c
$(CROSS_COMPILE)$(CC) $(CPPFLAGS) $(CFLAGS) -c -o $@ $^
misc_mosq.o : ../../lib/misc_mosq.c
$(CROSS_COMPILE)$(CC) $(CPPFLAGS) $(CFLAGS) -c -o $@ $^