So ... it means that If
I need to move to a new server , lets suppose for
maintenance.
I only need to change the server name ( `hostname` ) and all
should continue working?
Also:
"name in cert must match name used to connect"
Can you point those names for:
openssl commands while creating certs
mosquitto_sub client comand line flag while connecting.
btw , thanks for this ... you are helping me a lot.
Regards,
Leandro.
On
01/08/18 09:59, Manuel Domínguez Dorado wrote:
Great answer!!! Thanks.
El mié., 1 de agosto de 2018 14:25, Greg
Troxel <
gdt@xxxxxxxxxx>
escribió:
Manuel Domínguez Dorado <manolodd@xxxxxxxxx>
writes:
> *"If you are using a cert issued by your own
Certificate Authority, then
> you need to provide the CA certificate, so that
mosquitto can verify that
> the server certificate is genuine"*
>
> Um... but this is true only if the hostname in
the server certificate can
> be correctly resolved through the public DNS,
isn't it?
The relevant standards (IETF PKIX) are very
complicated, but the essence
is:
program asks to connect to a name
system might canonialize the name
system translates that to an address and connects
remote provides a certificate
validation requires that the certifiate be reachable
from a configured
trust anchor (which more or less translates to
"server cert's parent
certificate (CA) is in the list of configured CAs"
name in cert must match name used to connect
So no, you shouldn't need dns. You just have to make
the names match.
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev
