Client certificate authentication with Web MQTT

[cocowalla]

Not sure if this is a bug, or just some weirdness :)

I'm trying to setup MQTT over TLS-secured Web Sockets, using the Web MQTT plugin, with clients authenticated using x509.

I previously got this working with MQTT (not over Web Sockets) using:

mqtt.ssl_cert_login        = true
mqtt.listeners.ssl.default = 8886

I have my 'main' SSL options set with:

ssl_options.verify               = verify_peer
ssl_options.fail_if_no_peer_cert = true
ssl_options.depth                = 2
ssl_options.secure_renegotiate   = true
ssl_options.cacertfile           = /usr/local/share/cacert.pem
ssl_options.certfile             = /usr/local/share/cert.pem
ssl_options.keyfile              = /run/secrets/key.pem
ssl_options.versions.1           = tlsv1.2

auth_mechanisms.3 = EXTERNAL
auth_mechanisms.1 = PLAIN
auth_mechanisms.2 = AMQPLAIN

...and this works fine - the MQTT plugin appears to use the 'main' SSL config that is also used for AMQP connection. So I assumed that MQTT over Web Sockets would use this same configuration (there isn't any mention in the docs), but unfortunately not - the only way I was able to get it working was by using advanced.config:

{rabbitmq_web_mqtt,
  [{ssl_config,
    [{ip,                   "0.0.0.0"},
     {port,                 15676},
     {backlog,              1024},
     {cacertfile,           "/usr/local/share/cacert.pem"},
     {certfile,             "/usr/local/share/cert.pem"},
     {keyfile,              "/run/secrets/key.pem"},
     {depth,                2},
     {verify,               verify_peer},
     {fail_if_no_peer_cert, true},
     {versions,             ['tlsv1.2']},
     {honor_cipher_order,   true},
     {honor_ecc_order,      true},
     {secure_renegotiate,   true},
     {ciphers,              [{rsa,aes_256_cbc,sha256},
                             {rsa,aes_128_cbc,sha256},
                             {rsa,aes_256_cbc,sha},
                             {rsa,'3des_ede_cbc',sha},
                             {rsa,aes_128_cbc,sha},
                             {rsa,des_cbc,sha}]}]
    ]
  }]
}

Is this a bug, or do the docs need updating? Happy to submit a PR if it's the latter.

[Michael Klishin]

The docs do mention how TLS is configured, search [1] for "TLS".

1. http://www.rabbitmq.com/web-mqtt.html

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[cocowalla]

I was referring specifically to enabling client authentication - this is mentioned in the MQTT docs, but not the Web MQTT docs.

/C

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Michael Klishin]

I am increasingly less sure what specifically the docs are missing.

We definitely would welcome more extensive examples and a note that, unlike the MQTT plugin, WebMQTT uses

a separate config and in some cases possibly slightly different options (since they are backed by

different, even though closely related, libraries).

You examples builds on the "more hardened" configuration in the main TLS guide. Those are no-brainer additions,

I'd suggest a separate section or two that are much like [1] (same name, link to the main guide) and provide an example specifically for Web MQTT.

Note that Web MQTT has an older brother, Web STOMP, and their TLS setup should be nearly identical. I'm happy to port

any improvements we end up with to Web STOMP on my own, though.

1. http://www.rabbitmq.com/ssl.html#cipher-suite-order

[Michael Klishin]

Ah, I see. That's because we don't hear from people who try to use x509 certificate authentication with Web MQTT or Web STOMP.

That would be useful addition.

In the meantime I incorporated your example from a different thread from today into the docs:

http://www.rabbitmq.com/web-mqtt.html?skip_cache=1#tls.

As part of doing that I've noticed that we don't expose several settings would expose to the new config format. That's fairly

easy to correct in time for 3.7.6.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[cocowalla]

Excellent - what you've just added is exactly what I was missing, thanks!