TLS with ASP.Net Core 2.1

[MattComb]

Would it be possible to extend the documentation for ASP.Net Core 2.1 on how to add an encrypted endpoint. I have tried the approaches in the document but does not seem to work with the ASP.Net Core approach.

How can I add an mqtts endpoint listening on 8883?

[fogzot]

I do it as follows on ASP.NET Core 2.1 and it works. I can add this in formation to the wiki if @chkr1011 agrees.

var x509 = new X509Certificate2(Configuration["Mqtt:Certificate"], "");

services.AddHostedMqttServerWithServices(builder => {
    builder
        .WithDefaultEndpoint()
        .WithEncryptedEndpoint()
        .WithEncryptionCertificate(x509.Export(X509ContentType.Pfx));
});

Note that I use a pfx certificate. The way of loading/exporting the certificate showed in the examples never worked for me (and I have still to understand why).

Also, "Mqtt:Certificate" is the configuration key that contains the full path to the pfx certificate file (X509, public key and private key). This isn't optimal, it would be better to access it using a file provider. If you have the certificate and the private key in different files you can always use openssl to join them in a pfx.

[MattComb]

This does not work for me, here is my Configure Services stuff.

       services.Configure<AppSettings>(Configuration.GetSection("AppSettings"));

        var mqttServerOptions = new MqttServerOptionsBuilder()
            .WithConnectionValidator(c =>
                {
                   // some stuff that works
                }
            )
            .WithSubscriptionInterceptor(context =>
                {
                   // some stuff that works
                }
            )
            .WithApplicationMessageInterceptor(context =>
                {
                    // some stuff that works
                }
            )
            .Build();

        services.AddHostedMqttServer(mqttServerOptions);

        //supposed to add tcp support but actually next line does ?!?
        services.AddMqttConnectionHandler();

        //does this add tcp
        services.AddMqttTcpServerAdapter();

        // trying to add tls but doesn't open on 8883
        var x509 = new X509Certificate(@"some cert path here", "password");
        services.AddHostedMqttServerWithServices(builder => {
            builder
                .WithEncryptedEndpoint()
                .WithEncryptedEndpointPort(8883)
                .WithEncryptionCertificate(x509.Export(X509ContentType.Cert));
        });

        services.AddMqttWebSocketServerAdapter();

[MattComb]

Currently I'm able to achieve ws, wss, mqtt but not mqtts (using tcp) It feels like I'm missing an option to add tls to the tcp ?

[fogzot]

The call to services.AddMqttTcpServerAdapter() should be enough.

[MattComb]

unfortunately it is not working

[JanEggers]

services.AddMqttTcpServerAdapter(); is the old api that works on .net sockets

services.AddMqttConnectionHandler(); is the new api for AspnetCore.Connections.Abstractions but it doesnt support tls yet

[dealproc]

Your other option, dependent on how you are deploying, may be to terminate TLS with HAProxy or Nginx, then just have an unecrypted connection from there to the backend service be unencrypted.

[SeppPenner]

When will this be available? I need this as well.

[JanEggers]

this depends on

https://github.com/aspnet/AspNetCore/issues/4623

[SeppPenner]

@JanEggers: Thank you for the information. Hopefully, NetCore 3.0 (Initial release) will be there in August or so...

[SeppPenner]

@JanEggers The issue from AspNetCore is fixed now. Just for information.

[JanEggers]

@SeppPenner I will wait some more until 3.0 is released. and im not sure if we can update because 3.0 does not have .net framework support.

[SeppPenner]

@JanEggers Yeah, that's a good idea.

[nibirc]

I do it as follows on ASP.NET Core 2.1 and it works. I can add this in formation to the wiki if @chkr1011 agrees.

var x509 = new X509Certificate2(Configuration["Mqtt:Certificate"], "");

services.AddHostedMqttServerWithServices(builder => {
    builder
        .WithDefaultEndpoint()
        .WithEncryptedEndpoint()
        .WithEncryptionCertificate(x509.Export(X509ContentType.Pfx));
});

Note that I use a pfx certificate. The way of loading/exporting the certificate showed in the examples never worked for me (and I have still to understand why).

Also, "Mqtt:Certificate" is the configuration key that contains the full path to the pfx certificate file (X509, public key and private key). This isn't optimal, it would be better to access it using a file provider. If you have the certificate and the private key in different files you can always use openssl to join them in a pfx.

Hi, Could you please help me with setting up MQTTNet server/broker with both TCP and WS. TLS is not required right now. I tried with both ASP.NET Core 20 and 2.1, but dud not succeed.

[nibirc]

Currently I'm able to achieve ws, wss, mqtt but not mqtts (using tcp) It feels like I'm missing an option to add tls to the tcp ?

Dear Sir, can you please share your code?

[SeppPenner]

@JanEggers What is needed here? I would like to fix this issue and https://github.com/chkr1011/MQTTnet/issues/756 with one feature branch (Now that I have more time due to home office because of Corona :D).

[JanEggers]

there is no official tls middleware yet so you could start with https://github.com/dotnet/orleans/blob/a6bf5940a515aea09b0143c58c54f1872f655203/src/Orleans.Connections.Security/Security/TlsServerConnectionMiddleware.cs

and create your own that is plugged in the pipeline.

[SeppPenner]

Well, I just need to start the server in the pipeline and allow to set options with the builder. Anything else? This shouldn't be so difficult, I would say.

[jimsch]

Turns out there a couple things that more complicated that might be expected:

1. You cannot add any fields to the current MqttClientOptionsBuilderTlsParameters as this is not build as a string indexed dictionary.
2. If you have any need to access information about the TLS channel, that is difficult as it does not seem to be propagated all the way back. I had to add some extra fields in to the base code to get the TLS Exporter in the validation function code.

[SeppPenner]

You cannot add any fields to the current MqttClientOptionsBuilderTlsParameters as this is not build as a string indexed dictionary.

I already expected that.

If you have any need to access information about the TLS channel, that is difficult as it does not seem to be propagated all the way back. I had to add some extra fields in to the base code to get the TLS Exporter in the validation function code.

Ok, good to know. I will check and see what I can do here.

[JanEggers]

this is blocked by https://github.com/davidfowl/BedrockFramework/pull/52 and https://github.com/davidfowl/BedrockFramework/pull/56

[egops]

how's the progress

[behroozbc]

@JanEggers @SeppPenner @chkr1011 Hi How its progress? Is blocked by any issue?

[SeppPenner]

I have no idea about the status...

[JanEggers]

@behroozbc I actually did not look at the status of bedrock. @davidfowl maybe there will be some new bits to play with when .net 6 releases

[chkr1011]

Closing this due to inactivity. If the issue is not solved or closing is a mistake please feel free to reopen it.

[behroozbc]

hi @chkr1011, this issue is not solved.

[behroozbc]

hi @JanEggers , Is new update about the status of this issue after .net 6 was released?

[riccardogas]

Hey, there. We wish to move from .NET 4.8 to .NET 6 and we use TLS inside our MQTTnet server. Is there any news ?

[JanEggers]

@riccardogas it works just fine like before. but there is still no "optimized tls middleware for tcp connections" from the dotnet team. project bedrock seems to be stale