SSL with Socket

[achest]

I would like to use secure websocket connection. Is this implemented? Have you a sample configuration for me? Which test client can I use?

My Configuration:
Mosquitto 1.4.11, OS: Fedora / Ubuntu (inside Docker).
Client. NodeJS MQTT

It works without encryption or at normal port. With SSL encryption not.

user mosquitto
port 8883
tls_version tlsv1.2
cafile /mqtt/config/m/ca
certfile /mqtt/config/m/crt
keyfile /mqtt/config/m/key
require_certificate true
log_type all
connection_messages true
websockets_log_level 31
listener 1443
protocol websockets
tls_version tlsv1.2
cafile /mqtt/config/m/ca
certfile /mqtt/config/m/crt
keyfile /mqtt/config/m/key

Debug says SSL Context is null. Many thanks,

[ralight]

That looks fine. Could you try running openssl s_client -connect <host>:1443 -showcerts and pasting the result?

[achest]

It's looks fine.

Which socket client you are using for testing ?

[achest@pc33 test-server]$ openssl s_client -connect localhost:1443 -showcerts
CONNECTED(00000003)
depth=1 CN = test-connect, C = de
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/CN=ess/O=test-connect/C=de
   i:/CN=test-connect/C=de
-----BEGIN CERTIFICATE-----
MIIDADCCAeigAwIBAgIJAOIk6lnGm5dkMA0GCSqGSIb3DQEBDQUAMCYxFzAVBgNV
BAMMDmV4Y2VldC1jb25uZWN0MQswCQYDVQQGEwJkZTAeFw0xNzAzMjIxNzE5MTNa
Fw0zMjAzMTgxNzE5MTNaMDQxDDAKBgNVBAMMA2VzczEXMBUGA1UECgwOZXhjZWV0
LWNvbm5lY3QxCzAJBgNVBAYTAmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAnJpbFUASC3UJxYjR6kLd3TM1T40lH+a2d+rNZK68Bplh1l0xc8r4tBVh
nnytCy0t9Yqxoz3yUPL5jAR+ih7nIYNr0PnSH5lzojrCjBa8SnVCa8mmYLDKufyL
Gx+36nRJjKEidAIF9gFFlVLB7j4PLWlajd1rYSksqhDVEVhCr1X3ztRdrPfzojjg
Tm83y8AnYmfTpvFUTBCxHuAihc2eC5AeotUiIH9NK7SAWB+G1xGr87IphUvzWhCm
Hl2lEuILpAo2+vaouD+Uu+IOeWnLLYN/pFjaL0nGjho6IErB/8yyXuhPFeEgzGSP
kOHH2TYHg2N+5BN2PB/RxKmqvwWq+wIDAQABoyMwITAfBgNVHREEGDAWghRkZXZp
Y2VzLmV4Y2VldC5jbG91ZDANBgkqhkiG9w0BAQ0FAAOCAQEAnjtrIrPFn2jdhCZs
GFPCU4rI4hwQXSkfDZYvJmVE2p3aFTqsnu/f+6mjGKTG5+lfAiy4JBVnJyfSLin6
tdfz8aKuGUThNRVtEdmw0f321rf4DwZRqR4OESOxH0iayTONEDkdjcMuaRlzwy1o
FT6ecb3yiSzQcIu2YWGZF5K9Glaa3QRarQDllUNt/5eJJzJl9qpy9AJICjHsUX3F
mLluPvUzm7RufG3DDRUQvPFkyopT9L/p4K57eFukgSu70L8e5mvoCb5CoLJ+arfW
0tLhhRESA81jqClUlnc014NMyZHZwPV46f2VWoiKAmZjkMW08Nd9LTLWRoLIQg45
OC85oA==
-----END CERTIFICATE-----
 1 s:/CN=test-connect/C=de
   i:/CN=test-connect/C=de
-----BEGIN CERTIFICATE-----
MIIDHzCCAgegAwIBAgIJAN6w737arXfFMA0GCSqGSIb3DQEBDQUAMCYxFzAVBgNV
BAMMDmV4Y2VldC1jb25uZWN0MQswCQYDVQQGEwJkZTAeFw0xNzAzMjIxNzE5MTNa
Fw0zMjAzMTgxNzE5MTNaMCYxFzAVBgNVBAMMDmV4Y2VldC1jb25uZWN0MQswCQYD
VQQGEwJkZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKZqtnkr40/+
/Y7ahq/qrvPqQrb9yk7z+IZrTMln6tdQUAGpH5+I4fskVZrTzRd2tKkLOweHW0La
s2lnLdy4iZM1Bvkbt463X4n6c4eXyjYNGJT7OXSKkZUVyVtqJyczr3czehPP+kGo
93vwn9KtsPXwjChg0aguxiNsLvwDRZbfkQ6eiDhuEJf5X/r5pq9MJKqCpPHu/yS4
7C2KLIZU1ZX8H7NSLPdMwPSAYRsWafz0pLLPVHGfmwYfGk5OczjcDvK+yEV7YsIC
wNhwtR6tKmYPXvUGUiqxAeWGEJ6MDkdc9M23LHLD7nBcPVY1JolfBMc+x4i557ec
HoMs//RoCBsCAwEAAaNQME4wHQYDVR0OBBYEFHmiukSorInj4+ygPURNddZDlEOl
MB8GA1UdIwQYMBaAFHmiukSorInj4+ygPURNddZDlEOlMAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQENBQADggEBAI47jON42pg+dkzL2Hs0tSBfUJxTmJgdxzNnn+W5
S6u/c7/m/nSeYVIVokSZMOJxKfGbrQgV9W5O6gY/PMJpCI92MIKlQKo5cOpyPJEd
ayFPg1Rye4eirKiMNCpgnHn3l0Y+GKY924ZzOKJTDomO+sfdfO694uA9ImIp8Vwj
F73br0wQxxAoIjOhgN9hJqnv57/yLcxNPyWh7yrDhZacGUHwH8mh4o28kt27asMh
erJRpTuZuIW8VhrQxbKoJeRnQbkRj1jiMbiBMD3reJG4eN7aQFHzEjxic6f5/ELo
YWCG52vG81Xmi+V3i1pZzXuurNCjfoDJDSwE8sy43HTa8LU=
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=tess/O=test-connect/C=de
issuer=/CN=test-connect/C=de
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2237 bytes and written 327 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 592384C31636463ED9710A99BBCBF08E2D97657917A854464C85A50177D7C958
    Session-ID-ctx: 
    Master-Key: AD76447D5AF2D8A0A3B8C4E9E7304845AAF895159F2F164C40CDCFCF8F33348247A43B8D4ECD083E5B65188E1AF79044
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 1f a2 b0 cc b5 f4 d9 b9-5a db e9 e9 e7 be 5b e0   ........Z.....[.
    0010 - e2 11 37 03 e9 4f 20 71-ea e3 4a 6d 84 d6 e0 76   ..7..O q..Jm...v
    0020 - a1 1b b9 91 ac c4 0b 8b-f6 89 ed 58 f4 75 3b 75   ...........X.u;u
    0030 - 4e 11 61 3b 7b a0 c8 95-0b c1 de f0 ea 5f cc a0   N.a;{........_..
    0040 - 3a 8a 57 1f ef 9e 4c f0-5d 6e 82 0f ab d3 d0 44   :.W...L.]n.....D
    0050 - f6 6a 91 f1 55 41 9a 5f-01 04 47 27 42 3e a2 d2   .j..UA._..G'B>..
    0060 - e7 a9 44 e4 7c be 42 6f-39 36 9f 94 cb e8 ba 35   ..D.|.Bo96.....5
    0070 - 65 6d be 27 85 68 9e 6e-52 e4 1e 7f 25 a6 0c 0f   em.'.h.nR...%...
    0080 - ad 4d 5c d5 28 09 26 63-ad 13 ff 77 1f 47 cd d0   .M\.(.&c...w.G..
    0090 - 09 54 be 6d a4 59 aa d3-c4 4d 82 1a 0c 25 10 e3   .T.m.Y...M...%..

    Start Time: `1500453189`
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
closed

My Objective: Read and validate Username from Client Certificate.

[achest]

I have changed the read_handle_server function mqtt3_handle_connect, Line 330. I'm reading SSL context and copy CN into context->username. It's works for normal Port.
But for the Socket, SSL context is Null. It's not possible to get any data from client cert.

How can I read the data from client certificate when WEB Sockets is used?
Thanks

[ralight]

Oh right, so a different question entirely :)

This requires a bit of work with libwebsockets to fix, then you should be able to use use_identity_as_username for websockets connections as well as normal connections.

[achest]

Thank you for your reply. I get it. It is much work. Can you help me write a rough plan anyway?
-Where must I change in Mosquitto? At which places?
-What do I need to change in libwebsocket? I hope that my change requests will be accepted.

Anyway: what websocket client will you recommend?

[ralight]

It's not actually that much work, but needs thinking to ensure nothing gets broken.

You need to ensure that the listener->ssl_ctx is correct for the websockets listeners and also websockets clients have a valid context->ssl. These will almost certainly provided by libwebsockets so we shouldn't free them ourselves.

I'd use the Paho Python client for websockets, but it depends entirely on what is appropriate for your situation.

[PierreF]

Closing as this is fixed by 7943072 which will be included in next release. Feel free to reopen if the issue persist.