-
-
Notifications
You must be signed in to change notification settings - Fork 387
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Username/password AND client certificates #1936
Comments
@ridomin Yes, that's expected, as mutual TLS cannot be optional. The username/password auth is always on, even if you work with client certs. Some kind of a 2FA authentication, where you present something you have in hand (client cert), and something you have in your head (a password). You are looking for optional mutual TLS, so 👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq |
let me see if I got it correctly. When anonymous access is disabled I need to present username/password How the username and client cert are related? Should the common name match the username? |
Yes
Yes
CN and username are not related. VerneMQ allows you to automatically use the CN as the username, by setting
The username that you configure in your authentication plugin, has to match the CN then, of course. Using the CN as username spares you a configuration step on the clients: configuring an additional username there. EDIT: Documentation with an example config is here: https://docs.vernemq.com/configuring-vernemq/listeners#sample-ssl-config 👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq |
this means that any trusted client cert (I'm using the same CA as for TLS) is valid for any user (as long the provided password is correct)? This is a very different behavior I see in other brokers, where X509 auth is used to authenticate each client, and does not require to maintain an additional secret, the private key is the secret.
2FA does not make much sense in IoT, we just need to dump some credentials on the devices/clients. Assuming I don't want passwords and only X509, how can I explicitly enable or disable some given certs?
This statement confused me, as the docs mention that X509 also require to add a password to RE docs. I'd suggest to explain these 3 scenarios:
|
@ridomin This PR #1940 will allow to disable internal MQTT authentication for single listeners, while globally I need to look into your case 3 (X509 accepted). I don't think that's what a normal TLS listener in Verne currently implements. 👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq |
When configuring client certificates with
listener.ssl.require_certificate = on
I cannot longer connect with username and password using TLS, I got the error (using MQTTX client based on MQTT.js). It works with plain MQTT.Also, the docs does not specify how to authorize the client cert and got
Environment
The text was updated successfully, but these errors were encountered: