Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] TLS SNI server_name extension support

On 02 Jun 2015, at 00:19, Roger Light <roger@xxxxxxxxxx> wrote:

Hi Jan,

Ah well, I don't think I did too bad!

:)


My worst mistake there was that the ifdef you removed should be an ifndef. I don't suppose that matters for you though.

doh. I did not even figure that out. :)



Thanks again!


Cheers,

Roger



On Mon, Jun 1, 2015 at 11:11 PM, Jan Weitz <me@xxxxxxxxxxx> wrote:
Hi Roger,

thank you for your quick reply, and thank you for this great software!

Your patch almost worked, but the OpenSSL macro did not exist and I need this as on the client side (so I can use an Iphone and connect to a TLS mosquitto instance).

Please see the further very small changes on top of your patch against 1.4.2: https://gist.github.com/weitzj/18b07b7402bda937ef18

Actually there are 2 macros, to set the TLS extension. Either on the ssl instance or the ssl_ctx. Trying to use ssl_ctx did not work for me. So I stayed with your approach using the ssl instance.
I do not know whether this should be before or after the *big instance. It worked in both cases. So I put it before. Also I removed the WITH_BROKER ifdef, since I wanted to use the library to connect
from a client to a server.

If you are interested, where this all ends up you can check out: https://github.com/iosphere/MQTTKit/tree/feature/tls_mosquitto_1.4.2_SNI

Greetings,

Jan








On 01 Jun 2015, at 16:00, Roger Light <roger@xxxxxxxxxx> wrote:

Hi Jan,

It seems like it's quite easy. This is completely untested, but try http://h.ral.me/mqtt/sni.patch against 1.4.2.

Cheers,

Roger


On Mon, Jun 1, 2015 at 2:03 PM, Jan Weitz <me@xxxxxxxxxxx> wrote:
Hi,

does mosquitto_client support the TLS server_name extension (SNI)? 

My use case:

I want to run a mosquitto broker via the MQTT protocol as well the WEBSOCKET protocol on port 443 to keep firewalls happy.

But, I do not want to waste IP-Addresses for each protocol. The mosquitto library should be used from iOS to connect to the broker via SNI.

The broker setup:

I implement VirtualHosting by putting a bunch of independent mosquitto brokers behind a TCP load balancer (HAProxy), doing the SSL termination at each broker instead of the LoadBalancer. So I am using HAProxy as a SSL Relay.

Therefore, the mosquitto client( or every other MQTT client) has to set the ‘server_name’ in order for HAProxy to route to the correct backend server.

Is this already implemented in mosquitto so? Would it be hard to do?

It looks like the Golang mqtt client might already support this by setting the TLSConfig:



Thank you for your help,

Jan


A HAProxy config might look like this:

The mosquitto client might connect to `mqttproxy.mydomain.com` passing the server_name `broker_0_mqtt.mydomain.com` which will cause HAproxy to route the request to my first broker using the MQTT protocol.

Browsers already support SNI. So a browser might connect to `mqttproxy.mydomain.com` as well with the server_name `broker_0_websocket.mydomain.com` and will get the WEBSOCKET protocol.

```
frontend tlsrelay
  bind *:443
  maxconn 40000
  timeout client 3h
  option tcpka
  tcp-request inspect-delay 1s
  tcp-request content accept if { req_ssl_hello_type 1 }
  default_backend bk_tlsrelay

backend bk_tlsrelay
  option tcpka
  timeout server 3h
  option ssl-hello-chk

  acl acl_broker_0_mqtt req_ssl_sni -i broker_0_mqtt.mydomain.com
  acl acl_broker_0_websocket req_ssl_sni -i broker_0_websocket.mydomain.com
  acl acl_broker_1_mqtt req_ssl_sni -i broker_1_mqtt.mydomain.com
  acl acl_broker_1_websocket req_ssl_sni -i broker_1_websocket.mydomain.com

  server server_0_mqtt  192.168.1.1:8883
  server server_0_websocket  192.168.1.1:9002
  server server_1_mqtt  192.168.1.2:8883
  server server_1_websocket  192.168.1.2:9002

  use-server server_0_mqtt if acl_broker_0_mqtt
  use-server server_0_websocket if acl_broker_0_websocket
  use-server server_1_mqtt if acl_broker_1_mqtt
  use-server server_1_websocket if acl_broker_1_websocket
```

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev


_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

Back to the top