mosquitto icon indicating copy to clipboard operation
mosquitto copied to clipboard
verified publisher icon eclipse

Feature: Use x509 SubjectAlternativeName as username

Open vbsteven opened this issue 3 years ago • 1 comments

We would like to use a field from the SubjectAlternativeName in a x509 client certificate as the username in mosquitto.

I already have a local patch that adds the behavior through a use_san_dns_as_username configuration value similar to use_subject_as_username and use_identity_as_username that adds an extra branch in handle_connect.c#handle_connect and for now it just takes the first DNS entry present in the SAN.

Before I start work on a proper PR, is this something that could potentially be upstreamed as a feature? And if so, is this extra configuration value the right approach?

I also had a look at Rabbitmq which has a similar feature. There it can be configured like this:

ssl_cert_login_from = subject_alternative_name
ssl_cert_login_san_type = dns
ssl_cert_login_san_index = 0

When adding this to mosquitto the simplest option would be:

# this would just take the first entry if present
use_san_dns_as_username true

Or a bit more flexible

use_san_as_username true
use_san_as_username_type dns
use_san_as_username_index 0

vbsteven avatar Apr 16 '22 12:04 vbsteven

This sounds like a sensible addition to me, I'd be happy to have a PR for it. Given the nature of the SAN, I agree that the more flexible approach would be the better one.

ralight avatar May 23 '22 22:05 ralight