|[mosquitto-dev] Mosquitto version 2.0.14 for Windows does not refuse anonymous connections when mosquito_sub and mosquito_pub is used on windows power shell
Hi:I have the following security issue in the windows version 2.0.14 when I used with mosquito_sub and mosquito_pub on windows power shell.
After use TSL, I proved using just a password file, with the allow_anonymous parameter setting to false and, of course the per_listener_settings parameter setting to true.
per_listener_settings true allow_anonymous false password_file C:\mosquitto\usuarios.cfgThe configuration file is correctly read, also the password file; but still I can subscribe anonymous clients or clients using incorrect names and/or passwords (not included in the password file).
I run the mosquitto broker in a Power Shell windows, and the clients in additional Power Shell windows.
If I add a ACL file, the problem still remains.Only when I add certificates, and enable TSL, the password file and the ACL file are correctly used.
(That is: anonymous clients or clients with incorrect names and/or passwords are rejected)
Cheers Eduardo Mondaca
Back to the top