Mutual authentication configuration accidentally removed

[whitetiger21022014]

BUG REPORT OS: Ubuntu TLS 18- 64bits and mosquitto_pub version 1.4.15 on the same machine for test

1. Run mainflux

   AUTH=x509 docker-compose -f docker/docker-compose.yml -f docker/aedes.yml up

2. mosquitto_pub mosquitto_pub -u 46c4d624-4603-4511-be4f-3c4e0e66b6bd -P c63c0704-e969-4386-895d-7ffd9a76d189 -t channels/0e3e3796-628f-49b8-a472-0cacbc20ffb1/messages -h localhost -m '[{"bn":"some-base-name:","bt":1.276020076001e+09, "bu":"A","bver":5]' --cafile docker/ssl/certs/ca.crt --cert docker/ssl/certs/gifted_noether.crt --key docker/ssl/certs/gifted_noether.key -p 8883 -d

3. Problem Error: Client mosqpub|27603-ubuntu18 sending CONNECT Error: The connection was lost

4. How to fix Step 1: Add 3 lines to docker/nginx/snippets/ssl.conf ssl_client_certificate /etc/ssl/certs/ca.crt; ssl_verify_client on; ssl_verify_depth 2;

And I still has problem "MQTT username or password not provided" //https://github.com/mainflux/mainflux/blob/master/docker/ssl/authorization.js if (flags < 192) { s.error('MQTT username or password not provided'); return ''; } I debug and flags is only 112 as below clientKey:c63c0704-e969-4386-895d-7ffd9a76d189 pass:pMQIsdp▒<mosqpub|61254-ubuntu18$46c4d624-4603-4511-be4f-3c4e0e66b6bd$c63c0704-e969-4386-895d-7ffd9a76d189 -----> length 112

Step 2: use string contains substring // var pass = parsePackage(s, data); if (!clientKey.length || clientKey.length < 36 || !data || data.length < 112) { s.error('ClientKey is empty or lenght < 36, drop'); s.off('upload') s.deny(); return; } if (data.toString().includes(clientKey)) { s.log("Matched - in substring"); s.off('upload'); s.allow(); return; } else { s.error('Cert CN (' + clientKey + ') does not match client password'); s.off('upload') s.deny(); return; }

BRs,

[dborovcanin]

@whitetiger21022014 I have tested this and I can confirm that there is a missing part in Nginx configuration and that lines you add in step 4 are one solution. I'll send a PR for that. However, please have in mind that if (flags < 192) does not represent the size of the header but CONNECT flag bytes, and the first two are username and password (11xxxxxx which is where 192 comes from). You can check the code comments and referenced links for a better explanation. Thanks for opening this issue!

[whitetiger21022014]

@dusanb94 I just test as below: Note: mainflux and mosquitto_pub on the same laptop

Step 1 (enable debug in nginx): add line: error_log /tmp/nginx_mTLS_mqtt.log info; to file for debug: docker/nginx/nginx-x509.conf

Step 12 (enable debug in authorization.js): docker/ssl/authorization.js // CONTROL(1) + MSG_LEN(1-4) + PROTO_NAME_LEN(2) + PROTO_NAME(4) + PROTO_VERSION(1) var flags_pos = 1 + len_size + 2 + 4 + 1; var flags = data.codePointAt(flags_pos);

//add 5 lines below for debugging s.error('debug data:' + data); s.error('debug data.codePointAt(remaining_len):' + data.codePointAt(remaining_len)); s.error('debug len_size:' + len_size); s.error('debug flags_pos:' + flags_pos); s.error('debug flags:' + flags);

// If there are no username and password flags (11xxxxxx), return.
if (flags < 192) {
    s.error('MQTT username or password not provided');
    return '';
}

Step 3: run mainflux and mosquitto_pub on the SAME Laptop

AUTH=x509 docker-compose -f docker/docker-compose.yml -f docker/aedes.yml up

mosquitto_pub -u 46c4d624-4603-4511-be4f-3c4e0e66b6bd -P c63c0704-e969-4386-895d-7ffd9a76d189 -t channels/0e3e3796-628f-49b8-a472-0cacbc20ffb1/messages -h localhost -m '[{"bn":"some-base-name:","bt":1.276020076001e+09, "bu":"A","bver":5]' --cafile docker/ssl/certs/ca.crt --cert docker/ssl/certs/gifted_noether.crt --key docker/ssl/certs/gifted_noether.key -p 8883 -d Client mosqpub|32075-ubuntu18 sending CONNECT Error: The connection was lost.

Step 4: Result root@ubuntu18:/opt# docker exec -it mainflux-nginx sh / # tail -f /tmp/nginx_mTLS_mqtt.log

2019/10/15 04:38:50 [info] 12#12: 1 client 172.18.0.1:52844 connected to 0.0.0.0:8883 2019/10/15 04:38:50 [error] 12#12: 1 js: debug data:pMQIsdp▒<mosqpub|32075-ubuntu18$46c4d624-4603-4511-be4f-3c4e0e66b6bd$c63c0704-e969-4386-895d-7ffd9a76d189 2019/10/15 04:38:50 [error] 12#12: 1 js: debug data.codePointAt(remaining_len):112 2019/10/15 04:38:50 [error] 12#12: 1 js: debug len_size:1 2019/10/15 04:38:50 [error] 12#12: 1 js: debug flags_pos:9 2019/10/15 04:38:50 [error] 12#12: 1 js: debug flags:112 2019/10/15 04:38:50 [error] 12#12: 1 js: MQTT username or password not provided 2019/10/15 04:38:50 [error] 12#12: 1 js: Cert CN (c63c0704-e969-4386-895d-7ffd9a76d189) does not match client password

Thank you

[whitetiger21022014]

In previous email, i saw 'pMQIsdp' in logging https://mqtt.org/faq How does MQTT relate to SCADA protocol and MQIsdp? The “SCADA protocol” and the “MQ Integrator SCADA Device Protocol” ( MQIsdp) are both old names for what is now known as the MQ Telemetry Transport (MQTT). The protocol has also been known as “WebSphere MQTT” (WMQTT), though that name is also no longer used.

By default mosquitto_pub use -V mqttv31, so I run with -V mqttv311 and the connection connected successfully

run with -V mqttv311 mosquitto_pub -u 46c4d624-4603-4511-be4f-3c4e0e66b6bd -P c63c0704-e969-4386-895d-7ffd9a76d189 -t channels/0e3e3796-628f-49b8-a472-0cacbc20ffb1/messages -h localhost -m '[{"bn":"some-base-name:","bt":1.276020076001e+09, "bu":"A","bver":5]' --cafile docker/ssl/certs/ca.crt --cert docker/ssl/certs/gifted_noether.crt --key docker/ssl/certs/gifted_noether.key -p 8883 -d -V mqttv311 Client mosqpub|33839-ubuntu18 sending CONNECT Client mosqpub|33839-ubuntu18 received CONNACK Client mosqpub|33839-ubuntu18 sending PUBLISH (d0, q0, r0, m1, 'channels/0e3e3796-628f-49b8-a472-0cacbc20ffb1/messages', ... (68 bytes)) Client mosqpub|33839-ubuntu18 sending DISCONNECT

tail -f /tmp/nginx_mTLS_mqtt.log 2019/10/15 05:25:34 [info] 10#10: 14 proxy 172.18.0.17:60972 connected to 172.18.0.14:1883 2019/10/15 05:25:34 [info] 10#10: 14 client disconnected, bytes from/to client:128/4, bytes from/to upstream:4/240 2019/10/15 05:25:59 [info] 10#10: 16 client 172.18.0.1:53490 connected to 0.0.0.0:8883 2019/10/15 05:25:59 [error] 10#10: 16 js: debug data:nMQTT▒<mosqpub|33839-ubuntu18$46c4d624-4603-4511-be4f-3c4e0e66b6bd$c63c0704-e969-4386-895d-7ffd9a76d189 2019/10/15 05:25:59 [error] 10#10: 16 js: debug data.codePointAt(remaining_len):110 2019/10/15 05:25:59 [error] 10#10: 16 js: debug len_size:1 2019/10/15 05:25:59 [error] 10#10: 16 js: debug flags_pos:9 2019/10/15 05:25:59 [error] 10#10: 16 js: debug flags:194 2019/10/15 05:25:59 [info] 10#10: 16 proxy 172.18.0.17:60978 connected to 172.18.0.14:1883 2019/10/15 05:25:59 [info] 10#10: 16 client disconnected, bytes from/to client:128/4, bytes from/to upstream:4/240

The problem is MQTT client's version, mqttv31 vs mqttv311 BRs,

[krishna710942]

mosquitto_pub -u 526d9169-5354-4026-adfa-6cac3f548812 -P 417a3ee2-d674-43bc-aee5-f916138cc68f -t channels/0555fcf6-c4b2-45cb-9298-8934ee98876c/messages -h localhost -m '[{"bn":"some-base-name:","bt":1.276020076001e+09, "bu":"A","bver":5]' --cafile docker/ssl/certs/ca.crt --cert docker/ssl/certs/thing.crt --key docker/ssl/certs/thing.key -p 8883 -d -V mqttv311 Client mosqpub/25477-krishna-T sending CONNECT Error: The connection was lost.

erro mainflux-mqtt | {"level":"info","message":"Accepted new client","ts":"2020-05-11T13:32:42.923764662Z"} mainflux-mqtt | {"level":"info","message":"Disconnect - Client with ID: mosqpub/18708-krishna-T and username 526d9169-5354-4026-adfa-6cac3f548812 disconnected","ts":"2020-05-11T13:32:42.926044647Z"} mainflux-mqtt | {"level":"warn","message":"Broken connection for client: mosqpub/18708-krishna-T with error: rpc error: code = PermissionDenied desc = missing or invalid credentials provided","ts":"2020-05-11T13:32:42.926382162Z"} mainflux-things | {"level":"warn","message":"Method identify for key 417a3ee2-d674-43bc-aee5-f916138cc68f and thing took 774.994µs to complete with error: missing or invalid credentials provided.","ts":"2020-05-11T13:32:42.92572698Z"}

[mteodor]

@krishna710942 we are supporting from MQTT v3.1.1