Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

mTLS support for websockets #3164

Open
CoRfr opened this issue Nov 13, 2024 · 3 comments
Open

mTLS support for websockets #3164

CoRfr opened this issue Nov 13, 2024 · 3 comments
Labels
Status: Available No one has claimed responsibility for resolving this issue.

Comments

@CoRfr
Copy link

CoRfr commented Nov 13, 2024

Tested on Linux (Ubuntu 24.04)

When configured for client certificates with required_certificate true, capath and protocol websockets, mosquitto sends a TLSV1_ALERT_UNKNOWN_CA / SSL alert number 48 when a client initiates the connection with a certificate issued by a trusted CA (ie, a certificate issued by a CA whose certificate is present in the capath mosquitto option).

If the client doesn't provide a certificate, I encounter a TLSV13_ALERT_CERTIFICATE_REQUIRED as expected.

If I use protocol mqtt instead of protocol websockets, the connection works as expected.
I've also tried with an without an intermediate cert on the client side and that doesn't seem to change the outcome.

@github-actions github-actions bot added the Status: Available No one has claimed responsibility for resolving this issue. label Nov 13, 2024
@CoRfr
Copy link
Author

CoRfr commented Nov 13, 2024

Sample configuration:

per_listener_settings true
connection_messages true
persistence false
max_queued_bytes 50000000
max_queued_messages 100000
listener 28842 127.0.0.1
protocol websockets
allow_anonymous true
allow_zero_length_clientid false
log_type all
tls_version tlsv1.3
certfile /tmp/mosquitto/server/chain.pem
keyfile /tmp/mosquitto/server/private.key
require_certificate true
use_subject_as_username true
capath /tmp/mosquitto/client/ca

Can be tested using openssl:

openssl s_client -host localhost \
                 -port 28842 \
                 -verifyCAfile /tmp/mosquitto/server/ca/cert.pem \
                 -cert /tmp/mosquitto/client/cert.pem \
                 -cert_chain /tmp/mosquitto/client/chain.pem \
                 -key /tmp/mosquitto/client/private.key

@CoRfr
Copy link
Author

CoRfr commented Nov 13, 2024

Turns out it works if cafile is provided instead of capath because of this in websockets.c:

src/websockets.c:	info.ssl_ca_filepath = listener->cafile;

@CoRfr
Copy link
Author

CoRfr commented Nov 13, 2024

This appears to be a limitation in libwebsockets. I created issue warmcat/libwebsockets#3276 on this topic.
At the moment, it doesn't appear that there is any other way to load trusted client CAs than through ssl_ca_filepath, which only accepts a file.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
Status: Available No one has claimed responsibility for resolving this issue.
Projects
None yet
Development

No branches or pull requests

1 participant