search

VolantMQ / volantmq

High-Performance MQTT Server
Apache License 2.0
981 stars 169 forks source link

TLS is ignored #165

Closed X-Ryl669 closed 4 years ago

X-Ryl669 commented 4 years ago

Please fill out the sections below to help us address your issue.

Version of VolantMQ (or SHA)

build info:
    commit : 58b0776
    branch : HEAD
    state  : clean
    summary: v0.4.0-rc.6
    date   : 2020-01-25T18:41:49Z
    version: v0.4.0-rc.6

Version of Go (go version)?

None (or don't know how to get docker's version)

What issue did you see?

TLS enabled in the config does not work, VolantMQ is listening on the given port without SSL. Here's the relevant part in config:

listeners:
  defaultAddr: "0.0.0.0" # default 127.0.0.1
  mqtt:
    tcp:
      1883:
        host: "0.0.0.0"
      8883:
        host: "0.0.0.0"
        tls:
          cert: "/etc/volantmq/nvse.crt"
          key: "/etc/volantmq/nvse.key"

And here's how I'm starting docker:

docker run --rm -p 1883:1883 -p 8883:8883 -p 8080:8080 -v $(pwd)/volantmqCfg.yaml:/etc/volantmq/config.yaml -v $(pwd)/nvse.crt:/etc/volantmq/nvse.crt -v $(pwd)/nvse.key:/etc/volantmq/nvse.key --env VOLANTMQ_CONFIG=/etc/vola
ntmq/config.yaml volantmq/volantmq

Indeed, both file are accessible inside the container:

docker exec -i 799a9b413d42 ls -l /etc/volantmq
total 12
-rw-r--r--    1 1000     1000          3074 Apr  1 15:25 config.yaml
-rw-r--r--    1 1000     1000          1103 Apr  1 14:15 nvse.crt
-rw-r--r--    1 1000     1000          1704 Apr  1 14:15 nvse.key

Yet, the server is not listening with TLS enabled (only plain protocol) on port 8883.

$ openssl s_client -connect :8883
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1585755791
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
troian commented 4 years ago

It's a rather bad and old design. Can you try following config for now. Meanwhile I'll push a fix to put all under tcp section

 tcp:
      1883:
        host: "0.0.0.0"
 ssl:
      8883:
        host: "0.0.0.0"
        tls:
          cert: "/etc/volantmq/nvse.crt"
          key: "/etc/volantmq/nvse.key"
X-Ryl669 commented 4 years ago

Yes it's working!

troian commented 4 years ago

v0.4.0-rc.7