Empty CA list in HelloServer/CertificateRequest on TLS handshake

[marcellorinaldo]

Hello,

I have configured the mosquitto broker to require certificate authentication with the connecting client. Configured the options require_certificate true, cafile, certfile, and keyfile and used self signed certificates generated as in mosquitto-tls.

The client I am using to connect is a Java implementation that is using Eclipse Paho. It is configured to use an SSLContext with a keystore that contains a keypair generated in mosquitto-tls and an additional certificate that is signed with a CA different from the one used to sign the broker's certificate. In summary:

Broker setup:

• cafile points to ca1.crt
• certfile points to server certificates signed by ca1.crt
• keyfile points to server's private key

Client setup:

• client1.crt: signed by ca1.crt
• client2.crt: signed by another CA different from ca1.crt, let's call it ca2.crt

During the TLS handshake the Certificate Request in the ServerHello packet does not contain a list of recognized CAs (Distinguished Names Length: 0).

What happens is that the client may send any certificate that complies with the other constraints (e.g., supported signature algorithms), and may send the wrong one. In the above example, client2.crt.

Sending an empty CA list seems not to be an error by the standard, but it might leave too much freedom to the client.

Can this be considered an issue? is there any specific server configuration option to populate this CA list?

Thanks in advance,

Marcello

Refs:

• TLS 1.3

[ralight]

Thanks for reporting this. You're not wrong, the list isn't being sent and there's no way to configure it to do so. It's taken a bit of figuring out, but I've now got some code for the server that works. Where I'm struggling is to figure out how to test it. I've pushed the code to the develop branch anyway