You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With such approach a username and password are not needed and should not be sent.
As they say: Clients must not supply username and password.
Connection where username/password is provided can be rejected when such authentication method is disabled in the broker.
When using chirpstack I tried to make a secure connection with client certificate & no username and pass with no luck.
From what I see when I configure mqtt integration with no username and password still an empty string is used for both.
Also an empty string sends an empty string to a broker so in my opinion there is no way to configure chirpstack not to send username/password.
I didn't check but I believe the same problem will affect an mqtt-packet-forwarder that can be used inside of a gateway.
The text was updated successfully, but these errors were encountered:
Thanks for your feedback, I did not have issues when testing the MQTT Forwarder with mTLS with a blank username / password and was not aware this could case issues with other MQTT brokers. Only setting user_name and password arguments if this configuration != empty string should be easy to implement.
Would you like to create a PR for this (for both chirpstack and chirpstack-mqtt-forwarder repos)? I think it should like this:
if !conf.username.is_empty(){
conn_opts_b.user_name(&conf.username);}if !conf.password.is_empty(){
conn_opts_b.password(&conf.password);}
I was assuming that internally conn_opts_b would by default store user_name and password as empty strings, but that is not the case. The default is None an settings it sets it to Some(...).
In general the recommended way of ensuring MQTT security & authentication is using mutual TLS with client certificate verification.
For rabbit mq MQTT plugin docs can be found here:
https://www.rabbitmq.com/mqtt.html#tls-certificate-authentication
https://github.com/rabbitmq/rabbitmq-server/tree/main/deps/rabbitmq_auth_mechanism_ssl
With such approach a username and password are not needed and should not be sent.
As they say:
Clients must not supply username and password.
Connection where username/password is provided can be rejected when such authentication method is disabled in the broker.
When using chirpstack I tried to make a secure connection with client certificate & no username and pass with no luck.
From what I see when I configure mqtt integration with no
username
andpassword
still an empty string is used for both.Also an empty string sends an empty string to a broker so in my opinion there is no way to configure chirpstack not to send username/password.
I didn't check but I believe the same problem will affect an mqtt-packet-forwarder that can be used inside of a gateway.
The text was updated successfully, but these errors were encountered: