SparkplugNet icon indicating copy to clipboard operation
SparkplugNet copied to clipboard

Published 20 hours ago verified publisher icon SeppPenner

Authentication with TLS Certificate

Open petrosinoE80 opened this issue 1 year ago • 9 comments
trafficstars

Hello, thank you for the continuous bug fixes and updates provided.

I was wondering if anyone has tried connecting via TLS certificates (I use these certificates to connect to a RabbitMQ). I'll provide some lines of code that I use to attempt the connection without a username and password, but I'm getting an "Empty Stream" error which seems to be caused by the lack of TLS handshake. In addition, it signals that MqttClientOptionsBuilderTlsParameters is obsolete.

Any advice? Thank you very much

GetTlsParametersDelegate? getTlsParameters = useTLS == true ? new GetTlsParametersDelegate(BuildTls) : null;

sparkplugBNodeOpt = new SparkplugNodeOptions(..., getTlsParameters, ...);
...
sparkplugBNode.Start(sparkplugBNodeOpt);

[Obsolete]
private MqttClientOptionsBuilderTlsParameters BuildTls()
{
    string certificatePath = "certificate.pfx";
    string caCertificatePath = "caCertificate.crt";

    List<X509Certificate> certificateList =
    [
        new(certificatePathPFX,"password")
    ];

    var tlsParameters = new MqttClientOptionsBuilderTlsParameters
    {
        UseTls = true,
        Certificates = certificateList,
        AllowUntrustedCertificates = true, // TODO: remove in production
        IgnoreCertificateChainErrors = true, // TODO: remove in production
        IgnoreCertificateRevocationErrors = true, // TODO: remove in production
        CertificateValidationHandler = (context) => { return true; }
    };

    return tlsParameters;
}

petrosinoE80 avatar Mar 08 '24 15:03 petrosinoE80

Maybe this is a question for @chkr1011, I need to check this.

SeppPenner avatar Mar 12 '24 10:03 SeppPenner

The thing is that because Version A of Sparkplug is deprecated (but some still want to use it), I have marked the features as deprecated already. Since I have TreatWarningsAsErrors set, I need to disable these deprecation warnings. Then I don't see deprecated changes in the libraries I use (In this case MqttNet)... I need to check this, maybe just updating helps.

SeppPenner avatar Mar 24 '24 20:03 SeppPenner

Thank you for the updates provided!

petrosinoE80 avatar Mar 25 '24 07:03 petrosinoE80

@SeppPenner Do you still need my input here?

chkr1011 avatar Mar 26 '24 10:03 chkr1011

@SeppPenner Do you still need my input here?

Are there examples in the MQTTnet repo? If yes, then I don't need further information, I guess.

SeppPenner avatar Mar 26 '24 14:03 SeppPenner

@chkr1011 Like this, I guess:

  1. Remove proxy options.
  2. Rework WebSocket options with class MqttClientWebSocketOptions in the options and then rework the calls to:

WebSocketServer options:

if (this.Options.MqttWebSocketOptions is null)
{
    builder.WithTcpServer(this.Options.BrokerAddress, this.Options.Port);
}
else
{
    builder.WithWebSocketServer(o =>
        o.WithCookieContainer(this.Options.MqttWebSocketOptions.CookieContainer)
        .WithCookieContainer(this.Options.MqttWebSocketOptions.Credentials)
        .WithProxyOptions(this.Options.MqttWebSocketOptions.ProxyOptions)
        .WithRequestHeaders(this.Options.MqttWebSocketOptions.RequestHeaders)
        .WithSubProtocols(this.Options.MqttWebSocketOptions.SubProtocols)
        .WithUri(this.Options.BrokerAddress)
        .WithKeepAliveInterval(this.Options.MqttWebSocketOptions.KeepAliveInterval)
        .WithUseDefaultCredentials(this.Options.MqttWebSocketOptions.UseDefaultCredentials)
    );
}
  1. Rework TLS options from GetTlsParameters to class MqttClientTlsOptions in the options and then rework the calls to:

TLS options:

if (this.Options.MqttTlsOptions is not null)
{
    builder.WithTlsOptions(this.Options.MqttTlsOptions);
}

SeppPenner avatar Mar 27 '24 09:03 SeppPenner

@chkr1011 Just one thing, can you have a quick look over the changes, please? https://github.com/SeppPenner/SparkplugNet/commit/dfc03bb67f89dcae1f58aa52a4dbf88f7698ab0d. Thanks :)

SeppPenner avatar Mar 27 '24 09:03 SeppPenner

Sorry but I am a little bit lost here. Which changes do you want me to review? All of them? Or do you want me to have a look at a certain change? :confused:

chkr1011 avatar Apr 01 '24 20:04 chkr1011

@chkr1011 Like this, I guess:

1. Remove proxy options.

2. Rework WebSocket options with class `MqttClientWebSocketOptions` in the options and then rework the calls to:

WebSocketServer options:

if (this.Options.MqttWebSocketOptions is null)
{
    builder.WithTcpServer(this.Options.BrokerAddress, this.Options.Port);
}
else
{
    builder.WithWebSocketServer(o =>
        o.WithCookieContainer(this.Options.MqttWebSocketOptions.CookieContainer)
        .WithCookieContainer(this.Options.MqttWebSocketOptions.Credentials)
        .WithProxyOptions(this.Options.MqttWebSocketOptions.ProxyOptions)
        .WithRequestHeaders(this.Options.MqttWebSocketOptions.RequestHeaders)
        .WithSubProtocols(this.Options.MqttWebSocketOptions.SubProtocols)
        .WithUri(this.Options.BrokerAddress)
        .WithKeepAliveInterval(this.Options.MqttWebSocketOptions.KeepAliveInterval)
        .WithUseDefaultCredentials(this.Options.MqttWebSocketOptions.UseDefaultCredentials)
    );
}

3. Rework TLS options from `GetTlsParameters` to class `MqttClientTlsOptions` in the options and then rework the calls to:

TLS options:

if (this.Options.MqttTlsOptions is not null)
{
    builder.WithTlsOptions(this.Options.MqttTlsOptions);
}

@chkr1011 Just the changes in the comment (above), please :) Since these are the only options that I can set with MqttNet, I guess, they're correct already.

SeppPenner avatar Apr 02 '24 06:04 SeppPenner

I guess, this is done.

SeppPenner avatar Jul 02 '24 14:07 SeppPenner