| Re: [mosquitto-dev] use full certificate subject as username? |
Hi, this is a follow-up to my question from a couple of weeks. I’m still looking for a way to use the full x509 certificate subject line in an mosquitto auth plugin for making topic access decisions. In the meantime I have created a patch for mosquitto master that adds a use_subject_as_username option as an alternative to use_identity_as_username. The option yields RFC2253 formatted certificate subjects (e.g. 'CN=agent,OU=project1,O=org1’) as client usernames. It is somewhat similar to the FakeBasicAuth ssl option from the Apache http server. I find this option very useful and want to know if this is something that could be added to mosquitto mainline? The patch is attached. I’m by no means a c-export so please excuse any memory leaks or other blatant mistakes. Kind regards, Fabian
Attachment:
0001-subject-as-username.patch
Description: Binary data
> On 24 Apr 2015, at 16:10, Ruff, Fabian <fabian@xxxxxxxxx> wrote: > > Hi, > > I’m looking into leveraging tis as much as possible for solving the authentication and authorization problem in my mqtt architecture. > Currently the use_identity_as_username option only uses the common name from the certificate as the username. > For authorization purposes other parts of the certificates distinguished name could be helpful as well (e.g. organization, organizational unit...) > > Would it maybe feasible to introduce a complementary configuration option like use_subject_as_username? > That way an auth plugin could then make the access control decision based on the full certificate subject. > > Just wanted to check if somebody else might think this could be useful. > > > Cheers, > Fabian > _______________________________________________ > mosquitto-dev mailing list > mosquitto-dev@xxxxxxxxxxx > To change your delivery options, retrieve your password, or unsubscribe from this list, visit > https://dev.eclipse.org/mailman/listinfo/mosquitto-dev