Alfonso, I'd be interested to see other people's ideas, but here is how I set up our system:
1. Configure the server to require client authentication with a certificate, and to use the CN as the username. 2. Configure the ACL such that clients are restricted to a device/%u/# wildcard. 3. Set up a registration system that will validate new devices and issue certs on demand. Works well so far(fingers crossed) -Darren On Nov 26, 2013 6:41 PM, "Alfonso Pantoja" <alfonso.pant...@gmail.com> wrote: > Hi, > > I've been reading the mosquitto documentation about security and I'm a bit > confused about what would be the best setup for supporting a huge number of > clients trying to keep the system as simple as possible. > > To be more specific imagine an scenario with a broker exposed to the > internet which is being accessed by third party products/code (i.e: devices > sending temperature data). > Let's say that users of this system could have lots of devices and wanted > to connect them to the broker. > > In a perfect (and secure) world all that clients should have different > credentials but in reality this could be tricky because all devices should > be configured one by one and all credentials remembered/stored. > > If I'm not wrong the documentation states that it is recommended to use > different certificates for server, CA and clients so I suppose it is also > problematic using only one user/password in all people's devices or the > same PSK, right? > > In order to balance security and simplicity I'm wondering if the best > solution is to expose a broker to the internet and bridge it to a "private" > broker but I'm still confused about what kind of security should be > implemented in the "external broker". > > Any advice on this? > > Thanks in advance, > > Alfonso > > > > > > > > > -- > Mailing list: https://launchpad.net/~mosquitto-users > Post to : mosquitto-users@lists.launchpad.net > Unsubscribe : https://launchpad.net/~mosquitto-users > More help : https://help.launchpad.net/ListHelp > >
-- Mailing list: https://launchpad.net/~mosquitto-users Post to : mosquitto-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~mosquitto-users More help : https://help.launchpad.net/ListHelp
