New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
broker 1.5 conf use_identity_as_username true
TLS is broken
#833
Comments
I think the problem isn't the logging but the actual user name is set incorrectly. At least, I changed my ACL file to have "User ^N" (with an actual control-N), and the client started working again. I'm seeing this on a NetBSD system. |
use_identity_as_username true
in mosquitto.conf changed behavior in logginguse_identity_as_username true
in mosquitto.conf changed behavior
I haven't prepared a pull request for this but the problem is in handle_connect.c. In version 1.4.15, the commonName was extracted like this: i = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
name_entry = X509_NAME_get_entry(name, i);
context->username = _mosquitto_strdup((char *)ASN1_STRING_data(X509_NAME_ENTRY_get_data(name_entry))); but in 1.5, it's like this: i = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
name_entry = X509_NAME_get_entry(name, i);
context->username = mosquitto__strdup((char *)X509_NAME_ENTRY_get_data(name_entry)); These appear to be independent fixes to the same issue, but the fix in 1.4.15 (commit fff7416) is correct in this case. I've verified that 1.5 works correctly with a call to ASN1_STRING_data() inserted as in 1.4.15. |
use_identity_as_username true
in mosquitto.conf changed behavioruse_identity_as_username true
TLS is broken
I got the same issue.
1.5:
The culprit seems to be the commit 9c6a5f3#diff-72af1417df06c9efe29630bd226a62b3. |
@bricewge the problem with your change is that it won't work with openssl before version 1.1. The essential change from the previous commit is using X509_NAME_ENTRY_get_data() rather than accessing the structure members directly, so I think using the code from 1.4.15 is probably the way to go until older versions of openssl all go away. |
Note there is a comment as bellow in ChangeLog.txt on mosquitto v1.5.
|
@toast-uz don't forget that openssl 1.0.2 is LTS, and very much still supported. What exactly is the "information" you feel is required here given your tagging? |
Signed-off-by: Brice Waegeneire <[email protected]>
Signed-off-by: Brice Waegeneire <[email protected]>
Closes #833. Thanks to David Crook and Brice Waegeneire. Bug: #833 Signed-off-by: Roger A. Light <[email protected]>
The PR #868 is now merged into the |
It's good with me, you can close the issue (I can't do it myself). |
Signed-off-by: Brice Waegeneire <[email protected]>
Closes #833. Thanks to David Crook and Brice Waegeneire. Bug: #833 Signed-off-by: Roger A. Light <[email protected]>
@ralight I think there should be a CVE for this so older distros, e.g. Ubuntu 16.04, get this fix backported. I recently ran into this issue on a fairly recently updated Ubuntu 16.04 server install, and I see that they do backport CVEs, but I don't see a CVE for this listed under https://mosquitto.org/security/ -- correct me if I'm wrong? |
On a raspberry pi using raspbian package
Version: 1.5-0mosquitto1
, in the broker logfile, the logged username no longer matches the Common Name found in the client certificate.output from:
sudo less /var/log/mosquitto/mosquitto.log
the
u'^E'
andu'^D'
in the log message above used to reflect the Common Name in the certificate, e.g. in output from1.4.15
it isu'rpip3'
The text was updated successfully, but these errors were encountered: