Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] use full certificate subject as username?


this is a follow-up to my question from a couple of weeks.
I’m still looking for a way to use the full x509 certificate subject line in an mosquitto auth plugin for making topic access decisions.
In the meantime I have created a patch for mosquitto master that adds a use_subject_as_username option as an alternative to use_identity_as_username.
The option yields RFC2253 formatted certificate subjects (e.g. 'CN=agent,OU=project1,O=org1’) as client usernames.
It is somewhat similar to the FakeBasicAuth ssl option from the Apache http server.
I find this option very useful and want to know if this is something that could be added to mosquitto mainline?
The patch is attached. I’m by no means a c-export so please excuse any memory leaks or other blatant mistakes.

Kind regards,

Attachment: 0001-subject-as-username.patch
Description: Binary data

> On 24 Apr 2015, at 16:10, Ruff, Fabian <fabian@xxxxxxxxx> wrote:
> Hi,
> I’m looking into leveraging tis as much as possible for solving the authentication and authorization problem in my mqtt architecture.
> Currently the use_identity_as_username option only uses the common name from the certificate as the username.
> For authorization purposes other parts of the certificates distinguished name could be helpful as well (e.g. organization, organizational unit...)
> Would it maybe feasible to introduce a complementary configuration option like use_subject_as_username?
> That way an auth plugin could then make the access control decision based on the full certificate subject.
> Just wanted to check if somebody else might think this could be useful.
> Cheers,
> Fabian
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit

Back to the top