-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth plugin to validate client cert? #995
Comments
The For your case, not using |
Thanks for the feedback. Do you have more details on how you would ensure the plugin is always called? Introduce a new plugin function |
My plan would be to always call |
I'm happy to help you work through iterations of getting the changes made though, if that suits. |
Could you elaborate on which checks you want to move to (what I assume is) |
I think roughly everything from mosquitto/src/handle_connect.c Line 409 in d60b9d4
|
Just a heads-up: I've added a bunch of tests that cover my scenario and made some changes to the |
Thanks for the update. If you'd like to make a pull request we can look at the code, there isn't a need for an ECA from our end until the code is ready to be accepted. I realise you might need to wait for approval before doing that though. |
Hello, I'm also interested in the same behavior described here. I would like to be able to have the auth_plugin called, even so mosquitto is accepting the certificate. Since this Issue is still open I was wondering, if this found it's way in a recent version already? (Still using an older mosquitto version at the moment) |
I'm trying to create an auth plugin for 1.5.3 that controls client access based on their client certificate.
A first look at
mosquitto_plugin.h
seems to suggest this isn't possible: it only has functions to check username/password and TLS/PSK. However, reading about the config optionsuse_identity_as_username
anduse_subject_as_username
I was assuming that if they are used themosquitto_auth_unpwd_check()
plugin function would be called and the username can be checked (and/or the complete certificate after callingmosquitto_client_certificate()
). However, this doesn't seem to work: the plugin is never invoked. (Interestingly if SIGHUP is sent to the broker it does invoke the plugin with the expected client information)I looked a bit deeper into the code; more specifically the
handle__connect()
function. I think I found the reason why it's not working: if TLS is enabled anduse_identity_as_username
oruse_subject_as_username
is set, then it will parse the certificate and fill in the username. Otherwise it invokes themosquitto_unpwd_check()
function if a username is provided. That 'otherwise' seems to be the culprit. If I remove that and make a few other minor changes then the plugin is invoked.So the question is: is my scenario supposed to work and have I found a bug, or is this an unsupported use case?
The text was updated successfully, but these errors were encountered: