VerneMQ listener.ssl.use_identity_as_username not working
562 views
Skip to first unread message
roy
Feb 17, 2022, 11:38:47 AM2/17/22
to vernemq-users
I have VerneMQ setup with TLS authentication for client and have following configuration in place.
```
DOCKER_VERNEMQ_ACCEPT_EULA = "yes"
DOCKER_VERNEMQ_LISTENER__TCP__ALLOWED_PROTOCOL_VERSIONS = "3,4,5"
DOCKER_VERNEMQ_ALLOW_ANONYMOUS = "on"
DOCKER_VERNEMQ_KUBERNETES_INSECURE = "1"
DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT = "0.0.0.0:8883"
DOCKER_VERNEMQ_LISTENER__SSL__REQUIRE_CERTIFICATE = "on"
DOCKER_VERNEMQ_LISTENER__SSL__USE_IDENTITY_AS_USERNAME = "on"
DOCKER_VERNEMQ_LISTENER__SSL__CAFILE = "/vernemq/cert/ca.crt"
DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE = "/vernemq/cert/server.crt"
DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE = "/vernemq/cert/server.key"
DOCKER_VERNEMQ_VMQ_ACL__ACL_FILE = "/vernemq/acl/vmq.acl"
```
With this config client was able to connect using TLS cert.
With admin cli I can see client connected using TLS cert connected as anonymous
```
$ vmq-admin session show
+-----------------------------------+-----------+------------+-------------+-----------+-------------------------+
| client_id | is_online | mountpoint | peer_host | peer_port | user |
+-----------------------------------+-----------+------------+-------------+-----------+-------------------------+
| anon-Y9WGxgX01b2gDk/D2rDENwpY7JI= | true | | #.#.#.144 | 25064 | *.example.com |
+-----------------------------------+-----------+------------+-------------+-----------+-------------------------+
```
If I set `DOCKER_VERNEMQ_ALLOW_ANONYMOUS = "off"` then clients not able to connect to broker with error `Connection error: Connection Refused: not authorised.` .
On MQTT side I saw following error
```
14:20:05.039 [debug] Replica meta9: Can't initialize AE exchange due to no peer available
14:20:09.409 [warning] can't authenticate client {[],<<"anon-jIvdbHkbISRjo6dEzFqLxUwfEa4=">>} from x.x.x.x:3340 due to plugin_chain_exhausted
14:20:09.409 [debug] session normally stopped
```
What is wrong with my config ?
```
DOCKER_VERNEMQ_ACCEPT_EULA = "yes"
DOCKER_VERNEMQ_LISTENER__TCP__ALLOWED_PROTOCOL_VERSIONS = "3,4,5"
DOCKER_VERNEMQ_ALLOW_ANONYMOUS = "on"
DOCKER_VERNEMQ_KUBERNETES_INSECURE = "1"
DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT = "0.0.0.0:8883"
DOCKER_VERNEMQ_LISTENER__SSL__REQUIRE_CERTIFICATE = "on"
DOCKER_VERNEMQ_LISTENER__SSL__USE_IDENTITY_AS_USERNAME = "on"
DOCKER_VERNEMQ_LISTENER__SSL__CAFILE = "/vernemq/cert/ca.crt"
DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE = "/vernemq/cert/server.crt"
DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE = "/vernemq/cert/server.key"
DOCKER_VERNEMQ_VMQ_ACL__ACL_FILE = "/vernemq/acl/vmq.acl"
```
With this config client was able to connect using TLS cert.
With admin cli I can see client connected using TLS cert connected as anonymous
```
$ vmq-admin session show
+-----------------------------------+-----------+------------+-------------+-----------+-------------------------+
| client_id | is_online | mountpoint | peer_host | peer_port | user |
+-----------------------------------+-----------+------------+-------------+-----------+-------------------------+
| anon-Y9WGxgX01b2gDk/D2rDENwpY7JI= | true | | #.#.#.144 | 25064 | *.example.com |
+-----------------------------------+-----------+------------+-------------+-----------+-------------------------+
```
If I set `DOCKER_VERNEMQ_ALLOW_ANONYMOUS = "off"` then clients not able to connect to broker with error `Connection error: Connection Refused: not authorised.` .
On MQTT side I saw following error
```
14:20:05.039 [debug] Replica meta9: Can't initialize AE exchange due to no peer available
14:20:09.409 [warning] can't authenticate client {[],<<"anon-jIvdbHkbISRjo6dEzFqLxUwfEa4=">>} from x.x.x.x:3340 due to plugin_chain_exhausted
14:20:09.409 [debug] session normally stopped
```
What is wrong with my config ?
André Fatton
Feb 17, 2022, 11:56:29 AM2/17/22
to vernemq-users
Hi Roy,
You're not doing anything wrong. VerneMQ just expects that you provide an additional way of authenticating to MQTT while you expect that the client cert is enough proof of identity.
This is why things work when you set allow_anonymous=on. In that case, the internal authentication will be disabled. Unfortunately, allow_anonymous is a global setting and will make your other TCP listeners insecure.
Therefore, a per listener "allow_anonymous_override" config value was implemented recently. This way you can keep allow_anonymous=off globally, and then turn off authentication only for listeners that need it. (like your TLS listener with required client certs).
This is not yet in a release but in master branch. But it will land in next release shortly.
I hope the explanation helps.
Best,
André
Reply all
Reply to author
Forward
0 new messages