Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[mosquitto-dev] Mosquitto version 2.0.14 for Windows does not refuse anonymous connections when mosquito_sub and mosquito_pub is used on windows power shell


I have the following security issue in the windows version 2.0.14 when I used with mosquito_sub and mosquito_pub on windows power shell.

After use TSL, I proved using just a password file, with the allow_anonymous parameter setting to false and, of course the per_listener_settings parameter setting to true.

per_listener_settings true

allow_anonymous false

password_file C:\mosquitto\usuarios.cfg

The configuration file is correctly read, also the password file; but still I can subscribe anonymous clients or clients using incorrect names and/or passwords (not included in the password file).

I run the mosquitto broker in a Power Shell windows, and the clients in additional Power Shell windows.

If I add a ACL file, the problem still remains.

Only when I add certificates, and enable TSL, the password file and the ACL file are correctly used.

(That is: anonymous clients or clients with incorrect names and/or passwords are rejected)


Eduardo Mondaca

Back to the top