blog icon indicating copy to clipboard operation
blog copied to clipboard
verified publisher icon emqx

'Enable two-way SSL/TLS for EMQ X' blog example client credentials not on server

Open JeffreyUrban opened this issue 4 years ago • 9 comments

File: /en/202007/enable-two-way-ssl-for-emqx.md

The 'Enable two-way SSL/TLS for EMQ X' blog example appears to never establish knowledge of the client credentials on the server. So if the server requires registered clients, this client will be rejected and the two-way TLS won't work. If the server does not require clients to be registered, then all clients will be allowed, which defeats the purpose of two-way TLS.

JeffreyUrban avatar Nov 19 '21 19:11 JeffreyUrban

Hi @JeffreyUrban The blog post probably tested against default config which allowed anonymous clients.

If by following the steps, TLS handshake didn’t work as expected, we’ll update it. MQTT authentication failure is probably not for this blog to cover.

zmstone avatar Nov 19 '21 21:11 zmstone

I’m converting this to a discussion.

zmstone avatar Nov 19 '21 21:11 zmstone

I’m converting this to a discussion.

Sorry didn’t notice this is the blog post repo

zmstone avatar Nov 19 '21 21:11 zmstone

Or, By credentials, do you mean server should trust client’s CA certificates?

zmstone avatar Nov 19 '21 21:11 zmstone

If the server does not check the client's credentials, then it isn't two-way SSL/TLS.

JeffreyUrban avatar Nov 19 '21 21:11 JeffreyUrban

What exactly do you mean by credentials?

zmstone avatar Nov 19 '21 21:11 zmstone

A client certificate file is a credential. In the blog, the client presents the client certificate to the server, but we never let the server know that this client is allowed.

JeffreyUrban avatar Nov 19 '21 21:11 JeffreyUrban

Ah, I thought you meant a login credential Thank you for the report, we will update it.

zmstone avatar Nov 19 '21 21:11 zmstone

Is the update done to the blog as I do not see any update for client certificate verification

NoneeMouse avatar Dec 08 '22 11:12 NoneeMouse

Can Someone please update regarding this issue and how will server know that this client is allowed?

SharikSaigal87 avatar Jul 25 '24 09:07 SharikSaigal87

It's been a while, tried to recall the details as much as I can.

I believe the original issue report was fixed in this commit: https://github.com/emqx/blog/commit/b6281f088d58a1b259ab52a25763b7237a7a7718#diff-02669dcad19eb371f8e703628a5f1311f39187a862d37bc0e96151b121c9221cR159-R165 And it's already reflected in the latest version of the blog post https://www.emqx.com/en/blog/enable-two-way-ssl-for-emqx

That is: by configuring fail_if_no_peer_cert server will reject client immediately if the client does not send its certificate.

Please note though, the config examples provided in this blog post are for EMQX version 4. Latest is version 5, it has a different config layout, but essentially the same config entries. The latest TLS listener config can be found here: https://docs.emqx.com/en/emqx/latest/network/emqx-mqtt-tls.html#enable-ssl-tls-connection

@SharikSaigal87 For the server to know if a client is trusted or not, it would need to

  1. Configure fail_if_no_peer_cert, so the client must send its certificate (or a chain of certificates if the client cert is not directly issued by the root CA. TLS standard does not allow clients to send the root CA in the chain, but most of the servers (EMQX included) do not care, i.e. client can send the chain all the way up to the root CA).
  2. Configure cacertfile to a file which contains all the trusted root CA certificates (which issued the client certificates).

I am closing this issue here. You are welcome to ping me in this thread for more questions, or start a new discussion here

zmstone avatar Jul 28 '24 18:07 zmstone

also updated the blog with example for EMQX v5: https://github.com/emqx/blog/pull/1333

zmstone avatar Jul 29 '24 08:07 zmstone