Mochi MQTT
Mochi Broker mTLS #447
leandrofars
started this conversation in
Ideas
Mochi Broker mTLS
#447
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello,
First of all, amazing project!
Use case
I have a usecase where multiple devices are connecting to the mochi broker using mTLS.
Each device has a unique certificate and I must ensure that a device with a SubjectAltName "x" can only send messages as himself ("x").
I'm already doing some kind of ACL check with username/password and topic write/read permission, but the for the project I'm working on It's a must to check if the device which is publishing a message saying he is "x" also has an "x" identifier in the SAN field of his client TLS certificate, this way even if a certificate is somehow leaked, the attacker with that valid leaked certificate would only be capable to forge messages as one device instead of others.
How to do it
Though about creating a hook when a message is published to check if the device who is sending it really is him according to the SAN field of his TLS certificate.
Publish message -> Check device ID opening the msg payload -> Match device id with mqtt client tls SAN certificate
Problem
No way to access the mqtt client TLS info using the default lib provided by the hooks, or just couldn't figure out how to do it.
Open to suggestions and alternatives. If that's a limitation of the library I'm also willing to help with.
Thanks,
Beta Was this translation helpful? Give feedback.
All reactions