allow multiple mqtt brokers & InsecureSkipVerify flag with ssl config

chirpstack / chirpstack-gateway-bridge

ChirpStack Gateway Bridge abstracts Packet Forwarder protocols into Protobuf or JSON over MQTT.

https://www.chirpstack.io

MIT License

422 stars 270 forks source link

allow multiple mqtt brokers & InsecureSkipVerify flag with ssl config #93

Closed kushal154 closed 4 years ago

kushal154 commented 5 years ago

Is this a bug or a feature request?

Feature Request

What did you expect?

1) I want to setup multiple mqtt brokers. As per current config file, it accepts only one. 2) I want to have allow mqtt over ssl when host is IP address and not domain.

What version are your using?

master

How can your issue be reproduced?

If I try to do ssl over mqtt with server="ssl://192.168.0.104:8883", it gives an error.

ERRO[0000] could not setup mqtt backend, retry in 2 seconds: Network Error : x509: cannot validate certificate for 192.168.0.104 because it doesn't contain any IP SANs

I have created a patch which is working for me. Can you please incorporate the changes and make it available in next point release. lora-gateway-bridge-patch.txt

brocaar commented 5 years ago

I believe you can generate a TLS certificate for an IP address, see also: https://serverfault.com/questions/611120/failed-tls-handshake-does-not-contain-any-ip-sans. Simply bypassing the certificate validation does not sound like a good idea to me.

Connecting to multiple MQTT brokers is currently not possible. Instead of splitting the server, why not add a servers which can be an array of hostnames / IPs in toml syntax?

In that case the following could happen:

If len(servers) == 0: add server to the servers array / slice
In the code, looping over the servers entries for AddBroker

What do you think?

kushal154 commented 5 years ago

I think we can keep InsecureSkipVerify as configurable parameter in toml. By default, it is false with an option to change it to true. That way we can leave it for end user to decide.

On the multiple MQTT brokers, we can consider either of the 2 ways. There are enough open client libraries following one or the other approach. I think its just the matter of choice.

brocaar commented 4 years ago

I'm closing this issue. #141 implemented the multiple MQTT broker option. With regards to the certificate issue, I think it is better / safer to make sure the MQTT server is resolvable by the CN as configured in the certificate. This means either configure the hostname properly or update the certificate of your MQTT broker.