Emqx: Restrict to one connection per certificate

Created on 25 Apr 2019  路  4Comments  路  Source: emqx/emqx

Environment

  • OS: CentOS Linux release 7.6.1810
  • Erlang/OTP: R21/10.2.1
  • EMQ: EMQ X Broker v3.0.1

Description

In my use case, the broker and all clients will have TLS certificates signed by the same private CA, each with a unique CN field. I am trying to create a setup which will only allow each client certificate to be used for a single broker connection at a time, preferably by shutting down the older connection, but it would also be acceptable if the new connection was refused.

After searching a bit, I found #913 which would appear to say that this cannot be done on a username basis (i.e. with "peer_cert_as_username = cn").

Is there any way my one-connection-per-certificate restriction can be done with the functionality built into EMQX directly? If not, can you please recommend the easiest path to implement this functionality?

wontfix

All 4 comments

Hi, @jbrzozoski The current version does not support to restrict one-connection-per-certificate directly!

We'll discuss whether to implement this feature into the next version! But now you can use the following workaround to resolve it:

  1. Use the EMQ X v3.1 and enable the two-way SSL handshake
  2. Enable the emqx_web_http plugin and config the '%cn' placeholder to auth_req params
  3. Implement the one-connection-per-certificate logic in your web server

Okay, I see that the %cn parameter was added to emqx_auth_http after v3.0, so I'll have to upgrade.

On my web server, I would rather not keep track of which clients are connected or not. But looking at the EMQX REST API, it provides a way to query active connections based on client ID. So, before authenticating a new connection, my web app should require that the CN matches the client ID and then query the EMQX REST API to see if that particular client ID already has any open connections. Does that sound reasonable?

Is there a way to force the client ID to match the CN? I tried turning on the feature to force the client ID to match the username, but it must be done before the peer_cert_as_username is handled, since the end result was that the final client ID was the username passed from the client and the final username was the CN.

So, before authenticating a new connection, my web app should require that the CN matches the client ID and then query the EMQX REST API to see if that particular client ID already has any open connections. Does that sound reasonable?

Yes! it ok. But It is a better way to update client online state using emqx_web_hook's client.connected/client.disconnected hooks.

Is there a way to force the client ID to match the CN?

Not support

And we have discussed the one-connection-per-certificate feature. Our leader think it belongs to the business layer logic, so we'll not implement this feature in the EMQ X

Was this page helpful?
0 / 5 - 0 ratings

Related issues

codewiget95 picture codewiget95  路  6Comments

rootqa picture rootqa  路  3Comments

franquis picture franquis  路  5Comments

baer-devl picture baer-devl  路  4Comments

mikybone picture mikybone  路  3Comments