問題描述
我可以使用任何客戶端證書連接到在容器中運行的 MQTT 代理 (I'm able to connect to MQTT broker running in a container with any client certificate)
我創建了一個 MQTT 代理(環境:Docker 容器,基礎映像:Ubuntu:18),其公用名設置為 localhost。
但我能夠使用任何客戶端證書連接到 MQTT 代理. 我該如何阻止它。
這裡是 mosquitto 配置:
# A full description of the configuration file is at
/usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
require_certificate false
password_file /etc/mosquitto/passwd```
</code></pre>
參考解法
方法 1:
If you want to force clients to supply a certificate then you need to have
require_certificate true
Client certificates will need to be signed by a CA that is in cafile
or capth
to be accepted.
Since the certificate will be used to assert the user's identity the passwd_file
will not be used. If you want to use the ACL (with the acl_file
to control what topics a given user can use you will need to add use_identity_as_username true
or use_subject_as_username true
to set which item in the certificate to be the username.
From the man page:
When using certificate based encryption there are three options that
affect authentication. The first is require_certificate, which may be
set to true or false. If false, the SSL/TLS component of the client
will verify the server but there is no requirement for the client to
provide anything for the server: authentication is limited to the MQTT
built in username/password. If require_certificate is true, the client
must provide a valid certificate in order to connect successfully. In
this case, the second and third options, use_identity_as_username and
use_subject_as_username, become relevant. If set to true,
use_identity_as_username causes the Common Name (CN) from the client
certificate to be used instead of the MQTT username for access control
purposes. The password is not used because it is assumed that only
authenticated clients have valid certificates. This means that any CA
certificates you include in cafile or capath will be able to issue
client certificates that are valid for connecting to your broker. If
use_identity_as_username is false, the client must authenticate as
normal (if required by password_file) through the MQTT options. The
same principle applies for the use_subject_as_username option, but the
entire certificate subject is used as the username instead of just the
CN.
參考文件