Hi Brian, I've been a bit busy with other things, I'll try and reply properly as soon as I can.
Regards, Roger On Wed, Nov 20, 2013 at 1:44 PM, Brian Reinhold <brianreinh...@lampreynetworks.com> wrote: > (Sorry if this was sent twice; I think I had to join to post) > > > > > > To anyone who may understand how mosquitto implements TLS, > > > > Working on Windows 7: > > > > I have done a fair amount of work with TLS using many of the Java-based > servers (and clients). Typically the setup is as follows when client > authentication is NOT required: > > 1. On the server side one provides the server with a keystore file > containing the server’s private key and associated information such that one > can generate the server’s x509 certificate from it. > > a. The keystore is typically encoded in a format (like jks or bks) and > locked with a password > > 2. On the client side one has a truststore containing the server’s > x509 certificate generated from the server’s private key > > a. The truststore is likewise encoded in a format and locked with a > password > > For a test case one often accepts a self-signed certificate in the > truststore. In operation one typically requires that the certificate be > signed by a CA whose self-signed certificate is in the truststore before > placing that certificate in the truststore. > > > > Now if client authentication is required the following is typically added > > 1. The server ALSO maintains a truststore that has trusted x509 > certificates of clients that it trusts. > > a. The truststore is likewise encoded in a format and locked with a > password > > 2. The client must now have a keystore file containing the client’s > private key and associated information such that one can generate the > server’s x509 certificate from it > > a. The keystore is likewise encoded in a format and locked with a > password > > > > For testing a server and client being implemented by a single entity, all > the x509 certificates are typically self-signed. > > > > The problem is that I do not see how to configure mosquitto to support the > above scenario. > > 1. There is no means to specify the encoding format of the keystore or > truststore . > > 2. There is no means to specify the password to access the keystore or > truststore. > > > > I am not sure but it looks like mosquitto does not support the concept of a > keystore and one must expose the server private key and server certificate > as separate PEM files. For client authentication I am less sure. I see this > text in the config file: > > > > “They both > > # define methods of accessing the PEM encoded Certificate > > # Authority certificates that have signed your server certificate > > # and that you wish to trust. > > # cafile defines the path to a file containing the CA certificates.” > > > > The statement “defines the path to a file containing the CA certificates” > sounds like a standard truststore but the statement previous to it does not. > If one is using self-signed certificates does mosquitto require its own > certificate in its truststore (typically a server truststore is NOT needed > unless one is requiring client authentication). Why does the server need to > authenticate itself in any case? Given that can I place my client > certificate in that same truststore? > > > > In my case mosquitto is working as a broker for another server that requires > client authentication and keystores and truststores are established on both > the server and client sides. The protocol that the MQTT server is working > under requires client authentication with the MQTT broker as well. The idea > is to have the mosquitto broker point to at least the same truststore as the > server; ideally the same keystore as well. Communication between the broker > and the server is unsecure (they reside on the same machine). Would be even > nicer if the broker (on the server side) were available as a library so it > could be integrated into the server application! > > > > So in the end > > 1. Does mosquitto support the concept of keystores? > > 2. Does mosquitto support securing keystores with passwords? > > 3. How does mosquitto support truststores? (It does not appear to be > like the standard web browsers.) > > > > Clarification and/or any help is greatly appreciated!!! > > > > > > Brian Reinhold > > LNI > > tel 603 868 8411 x207 > > brianreinh...@lampreynetworks.com > > > > > -- > Mailing list: https://launchpad.net/~mosquitto-users > Post to : mosquitto-users@lists.launchpad.net > Unsubscribe : https://launchpad.net/~mosquitto-users > More help : https://help.launchpad.net/ListHelp > -- Mailing list: https://launchpad.net/~mosquitto-users Post to : mosquitto-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~mosquitto-users More help : https://help.launchpad.net/ListHelp
