Yes I succesfully connected using my own CA.
These are my clients and the results:
mosquitto_sub / mosquitto_pub NO OK
mosquitto_sub / mosquitto_pub OK (with "insecure" flag)
mqttfx OK
raspberry java paho OK
on android paho OK
On 02/08/18 13:05, Manuel Domínguez
Dorado wrote:
And, are tou able to connect the broker for TLS
using your own CA? I had to write some code to avoid a
connection error (usin paho).
Manuel , I will use
both.
Since Im server side manager and pro linux , it is easier
for my to use command line clients like mosquitto_pub/sub.
But we also have a raspberry using java library and android
app using some other mqtt library.
So far the problem is only with command line clients.
Regards.
Leo.
On
01/08/18 12:58, Manuel Domínguez Dorado wrote:
Are you going to connect to the broker via
mosquitto_pub and mosquitto_sub? Or are you going to
connect from java, C...?
So ... it means
that If I need to move to a new server , lets
suppose for maintenance.
I only need to change the server name ( `hostname` )
and all should continue working?
Also:
"name in cert must match name used to connect"
Can you point those names for:
openssl commands while creating certs
mosquitto_sub client comand line flag while
connecting.
btw , thanks for this ... you are helping me a lot.
Regards,
Leandro.
On
01/08/18 09:59, Manuel Domínguez Dorado wrote:
Great answer!!! Thanks.
El mié., 1 de agosto de 2018
14:25, Greg Troxel < gdt@xxxxxxxxxx>
escribió:
Manuel Domínguez Dorado <manolodd@xxxxxxxxx>
writes:
> *"If you are using a cert issued by your
own Certificate Authority, then
> you need to provide the CA certificate,
so that mosquitto can verify that
> the server certificate is genuine"*
>
> Um... but this is true only if the
hostname in the server certificate can
> be correctly resolved through the public
DNS, isn't it?
The relevant standards (IETF PKIX) are very
complicated, but the essence
is:
program asks to connect to a name
system might canonialize the name
system translates that to an address and
connects
remote provides a certificate
validation requires that the certifiate be
reachable from a configured
trust anchor (which more or less translates
to "server cert's parent
certificate (CA) is in the list of
configured CAs"
name in cert must match name used to connect
So no, you shouldn't need dns. You just have
to make the names match.
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your
password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev
|