I have two use cases
- the user want to connect with username and password (i use https post to validated the user).
- the user want to connect with client certificate.
If i run the cases one by one thy work but if i have https enabled the clients that connect using client certificates also get pulled in to this and fails. Is there a way to exclude the clients that have valid client certificates from the https authentication?
Thanks for any input
/Jimmy
Config:
mqtt {
max_packet_size = 1MB
max_clientid_len = 65535
max_topic_levels = 128
max_qos_allowed = 1
max_topic_alias = 65535
retain_available = false
peer_cert_as_username = cn
}
listeners.ssl.default {
## Port or Address to listen on, 0 means disable
bind = 8883 ## or with an IP e.g. "127.0.0.1:8883"
enabled = true
acceptors = 16
enable_authn = true
max_connections = infinity
mountpoint = ""
proxy_protocol = false
proxy_protocol_timeout = 3s
tcp_options {
active_n = 100
backlog = 1024
buffer = 4KB
high_watermark = 1MB
keepalive = none
nodelay = true
reuseaddr = true
send_timeout = 15s
send_timeout_close = true
}
ssl_options {
cacertfile = "${EMQX_ETC_DIR}/certs/netmore/ca.crt"
certfile = "${EMQX_ETC_DIR}/certs/netmore/server.crt"
keyfile = "${EMQX_ETC_DIR}/certs/netmore/server.key"
verify = verify_peer # to enable
fail_if_no_peer_cert = true
## Enable TLS session reuse
reuse_sessions = true
## Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path
depth = 10
## Which versions are to be supported
versions = [tlsv1.3, tlsv1.2]
## TLS cipher suite names
## Note: By default, all available suites are supported, you do not need to set this
ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,ECDHE-RSA-AES256-GCM-SHA384"
## Allows a client and a server to renegotiate the parameters of the SSL connection on the fly
secure_renegotiate = true
## Log level for SSL communication
## Type: emergency | alert | critical | error | warning | notice | info | debug | none | all
log_level = notice
## Hibernate the SSL process after idling for amount of time reducing its memory footprint
hibernate_after = 5s
## Forces the cipher to be set based on the server-specified order instead of the client-specified order
honor_cipher_order = true
## Setting this to false to disable client-initiated renegotiation
client_renegotiation = true
## Maximum time duration allowed for the handshake to complete
handshake_timeout = 15s
#ocsp {
# enable_ocsp_stapling = false
# responder_url = "http://ocsp.example.com"
# issuer_pem = "${EMQX_ETC_DIR}/certs/ocsp-issuer-cert.pem"
# refresh_http_timeout = 15s
# refresh_interval = 5m
#}
}
}
authentication = [
{
mechanism = password_based
backend = http
enable = true
method = post
ssl {
enable = true
}
url = "https://localhost/api/v1/login"
body {
username = "${username}"
password = "${password}"
}
headers {
"Content-Type" = "application/json"
"X-Request-Source" = "EMQX"
}
}
]
authorization {
no_match = deny
deny_action = disconnect
cache {
enable = true
max_size = 32
ttl = 1m
}
sources = [
{
type = file
enable = true
path = "${EMQX_ETC_DIR}/acl.conf"
}
]
}