Mosquitto MQTT client certificate exception

0
votes

I'm developing an application that, in summary, uses MQTT to send sensor values to a broker to later visualize that data in a dashboard web application. I have five microcontrollers connected to the broker and I've set up a server certificate for the broker and client certificates for each microcontroller.

The problem is that, in the mosquitto.conf file I require the use of client certificates for the clients that want to connect, so if I want to subscribe to a topic from my web application I need a client certificate. I'm trying to find the right approach for accomplishing this, but it seems that having a certificate and key in a machine you cannot control is a big security risk.

It would be ideal if someone knew a way of tweaking the mosquitto configuration file or establish some kind of exception (maybe similar to ACL's) to only require client certificates for certain clients (in my case, the microcontrollers) and use username@password for the others (web clients). Is it possible to do such a thing?

Any help would be much appreciated

EDIT (regarding @hardillb 's answer)

My mosquitto.conf:

pid_file /var/run/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/

log_dest file /var/log/mosquitto/mosquitto.log

include_dir /etc/mosquitto/conf.d

per_listener_settings true

listener 9873
protocol websockets
#http_dir /home/jamengual/Desktop/UIB/TFG/mqtt/webAPP
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt

listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
require_certificate true

The "per_listener_settings true" makes the server go to an active(exited) state. From the mosquitto.conf guide:

Talking about authentication mechanisms:

Both certificate and PSK based encryption are configured on a per-listener basis.

Talking about the per_listener_settings options:

per_listener_settings [ true | false ]

    If true, then authentication and access control settings will be controlled on a per-listener basis. The following options are affected:

    password_file, acl_file, psk_file, allow_anonymous, allow_zero_length_clientid, auth_plugin, auth_opt_*, auto_id_prefix.

So I understand that the per_listener_settings option might not be necessary for the require_certificate part. However, I still need it to configure the usernames and passwords for the websockets.

Is there something wrong with my configuration file?

Link to my question about how to store client certificates and keys in the client's machine

1
sslssl-certificatemqttmosquitto

1 Answers

2
votes

Mosquitto allows you to have multiple listeners per broker that all share the same topic space.

Listeners can support native MQTT, MQTT over Websockets (including Websockets over TLS) and MQTT over TLS.

It also has the per_listener_settings option which allows you to specify different authentication options for different listeners. This option was added in mosquitto version 1.5.

So in this case, you can create a MQTT over TLS listener and use client certificates to authenticate those users (devices) and a MQTT over Websocket listener that will use username/password authentication.

e.g. something like this (but probably using a authentication plugin rather than acl/password files)

per_listener_settings true

listener 1884
cafile /path/to/ca
certfile /path/to/cert
keyfile /path/to/key
require_certificate true
acl_file /path/to/acl_file

listener 8883
protocol websockets
acl_file /path/to/acl_file
password_file /path/to/password

You can also include the ca_file, cert_file and key_file options for the websocket listener, to enable Websockets over TLS (but don't use the require_certificate because browser side client certificate handling for websockets is not a great experience, as they don't ask which to use). But normally I would normally use something like NGINX to proxy for the websocket listener and also do the TLS termination.

Details of all the options can be found in the mosquitto.conf man page: https://mosquitto.org/man/mosquitto-conf-5.html