Emqx: SSL/TLS certificate client authentication?

Created on 3 Aug 2017  路  6Comments  路  Source: emqx/emqx

Environment

  • OS: Ubuntu
  • Erlang/OTP: 19.2
  • EMQ: 2.2

Description

Hello,

In both this question: https://github.com/emqtt/emqttd/issues/794 and this question: https://github.com/emqtt/emqttd/issues/585 certificate based client authentication is brought up and it was mentioned that it was being worked on in 2.1 and 2.2. Has this feature been deployed?

Currently, my application is using TLS-PSK to connect clients, and it's important to me that I can also authenticate them with the psk-identity if possible. Do you have any thoughts on how this could be done? I have read up on hooks quite a bit, and an idea I had was that whenever a client connected I could maybe change the Client Id in #mqtt_client to equal the psk-identity, but I can't find 1) where the client-id is set and 2)When this is set, i need access to the psk-identity, which doesn't seem to be accessible from anywhere.

Do you have any thoughts on how to accomplish this in the meantime before any version with certificate based authentication is added to the platform?

Enhancement High Security

Most helpful comment

Is this feature release in 2.3-beta?
We need this functionality and I need to check what can be used as a starting point. Could you share any pointers.

All 6 comments

@codewiget95 This feature will be released in R2.3 :)

@emqplus, I am currently working on implementing this right now... is your email [email protected]? I'd love to chat about your implementation, especially since mine is for PSKs and I imagine you are using ssl:peercert?

@codewiget95 My email: [email protected] We implemented this feature using ssl:peercert to decode the DN and CN. You can discuss your design with [email protected] and submit a PR later:)

Is this feature release in 2.3-beta?
We need this functionality and I need to check what can be used as a starting point. Could you share any pointers.

Are there any updates on this issue? Is it going to be implemented at some time in near future? A very important and needed feature.

@uodasuodas @rejji @codewiget95 @codewiget95 The X.509 certificate-based authentication has been production ready in R2.3.2. Close the issue.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

stefano055415 picture stefano055415  路  4Comments

jemc picture jemc  路  5Comments

arnecs-piscada picture arnecs-piscada  路  5Comments

mariusstaicu picture mariusstaicu  路  3Comments

andywang2014 picture andywang2014  路  5Comments