Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chirpstack MQTT authentication using client certificates #257

Closed
mwilniewiec opened this issue Aug 9, 2023 · 2 comments
Closed

Chirpstack MQTT authentication using client certificates #257

mwilniewiec opened this issue Aug 9, 2023 · 2 comments

Comments

@mwilniewiec
Copy link

In general the recommended way of ensuring MQTT security & authentication is using mutual TLS with client certificate verification.

For rabbit mq MQTT plugin docs can be found here:
https://www.rabbitmq.com/mqtt.html#tls-certificate-authentication
https://github.com/rabbitmq/rabbitmq-server/tree/main/deps/rabbitmq_auth_mechanism_ssl

With such approach a username and password are not needed and should not be sent.
As they say:
Clients must not supply username and password.

Connection where username/password is provided can be rejected when such authentication method is disabled in the broker.

When using chirpstack I tried to make a secure connection with client certificate & no username and pass with no luck.
From what I see when I configure mqtt integration with no username and password still an empty string is used for both.
Also an empty string sends an empty string to a broker so in my opinion there is no way to configure chirpstack not to send username/password.

I didn't check but I believe the same problem will affect an mqtt-packet-forwarder that can be used inside of a gateway.
@brocaar
Copy link
Contributor

brocaar commented Aug 9, 2023

Thanks for your feedback, I did not have issues when testing the MQTT Forwarder with mTLS with a blank username / password and was not aware this could case issues with other MQTT brokers. Only setting user_name and password arguments if this configuration != empty string should be easy to implement.

Would you like to create a PR for this (for both chirpstack and chirpstack-mqtt-forwarder repos)? I think it should like this:

if !conf.username.is_empty() {
        conn_opts_b.user_name(&conf.username);
}

if !conf.password.is_empty() {
        conn_opts_b.password(&conf.password);
}

@brocaar
Copy link
Contributor

brocaar commented Aug 9, 2023

I was assuming that internally conn_opts_b would by default store user_name and password as empty strings, but that is not the case. The default is None an settings it sets it to Some(...).

brocaar added a commit to chirpstack/chirpstack-mqtt-forwarder that referenced this issue Aug 10, 2023
@brocaar
Do not set empty username / password in MQTT.
558e80b 
See chirpstack/chirpstack#257
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brocaar @mwilniewiec