SSL certificate authentication

[Thibauth]

I see that emqttd already supports SSL/TLS connections. Any plan to allow clients to be authenticated via SSL? This would basically involve:

• forcing the client to provide a SSL certificate
• validating the client's certificate
• extracting the username from the certificate. typically this would be the DN or CN field in the certificate's Subject, but best would be to make this configurable
• attaching the username to the connection; this is important for authorization purposes (e.g. checking a request against the ACL)

[ralphtheninja]

+1

[tenorviol]

Yes! 👍

[asanchezdelc]

👍

[emqplus]

Hi All, Sorry for the delayed response. I've been busy on 2.0 release these days. We could support the SSL certificate authentication in 2.x release, I think.

[tomazbracic]

+1, That would be really needed and awesome.... please do! Support for ECDSA and ECDH(E) would be great, would it be possible to integrate this? For hardware based security.

[teifip]

+1.

AWS IoT uses TLS with client certificate validation and skips authentication at the MQTT layer. In the AWS IoT model, the association between client-id and certificate is configured at the broker side (attach a thing to a certificate). Therefore, there is no need to extract any value from the certificate and submits it for MQTT authentication. I believe the model has useful merits, and it would be great if emqttd could support it. One possibility could be to use an additional plug-in - similar to the existing emqttd_auth_http plugin - to pass {client-id, certificate} pairs to an external service and have a simple accepted/rejected response back.

[fedenunez]

+1

[Thibauth]

AWS IoT uses TLS with client certificate validation and skips authentication at the MQTT layer. In the AWS IoT model, the association between client-id and certificate is configured at the broker side (attach a thing to a certificate). Therefore, there is no need to extract any value from the certificate and submits it for MQTT authentication.

I think both models —extracting the client id from the certificate or maintaining the (client id, certificate) association separately— have their merits. In the former, authentication can be completely stateless while the latter offers more flexibility. Ideally, an implementation of this feature would support both models.

[KohliDev]

Is this feature supported? We are using EMQTT broker heavily is there any alternate way to support Client cert authentication with EMQTT broker.

[KohliDev]

Any update on this issue?

[Ryanauger95]

Any update on this?

[rajeshemailto]

I hope, we are getting this very soon?

[uodasuodas]

A very needed feature, is there any updates on the status of this issue?

[emqplus]

@uodasuodas Sorry for the delay. We postponed the feature for the SSL library of Erlang/OTP consumes too many CPU/Memory resources. We plan to provide an initial implementation in 2.4-beta.1, and the code will be ready this weekend.

[emqplus]

@Thibauth @ralphtheninja @fedenunez @uodasuodas @rajeshemailto

The X.509 certificate-based authentication is production ready now, which is released with EMQ R 2.3.2:)

[gautaz]

Hello,

Sorry to comment on an already closed issue, my question is closely related to what @Thibauth was detailing in this comment but I can open a new issue if needed.

As stated by @emqplus, EMQ now supports authentication based on client certificates since version 2.3.2 but what remains unclear to me is if the client can be identified by its certificate. Is EMQ able to do this? If this is the case, I did not find anything in the latest documentation on this particular subject, can someone kindly point me to the right direction?

For instance, can I tell EMQ to identify a client based on its certificate common name? Any other mean to link the certificate to the client identity would be of course an option.

I also had a look at this #1388 but I am a complete Erlang newbie...

[Ryanauger95]

@gautaz If you are using the peer certificate as the username, you can implement an ACL plugin/hook in order to give them access to resources.

ok = emqttd_access_control:register_mod(acl, modul_of_custom_acl_function, Opts),

where module_of_custom_acl_function> is a module exporting the functions contained in emq_plugin_template/src/emq_acl_demo.erl

I would say that it does require some erlang knowledge, especially if you plan on checking against a database

[gautaz]

@PiedPieper Thanks for the tip, I will look into this depending on the time I'm given to investigate/develop on top of EMQ.

We are currently using Mosquitto with some issues and EMQ is a good candidate as a replacement but as we are also using the use_identity_as_username option, we need to find a way to keep this feature.