Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] TLS SNI server_name extension support
So I guess the next thing would be for me to check out, how I could add ALPN support (successor of NPN) to the mosquitto client.

See:


This way one could get rid of these weird host names: broker_0_mqtt.mydomain.com, broker_0_websocket.mydomain.com to distinguish between the protocols.

The haproxy config would fit more to the actual service of a broker and it’s servers it binds to. Something like:

```
frontend tlsrelay
  bind *:443
  maxconn 40000
  timeout client 3h
  option tcpka
  tcp-request inspect-delay 1s
  tcp-request content accept if { req_ssl_hello_type 1 }

  acl acl_broker_0 req_ssl_sni -i broker_0.mydomain.com
  acl acl_broker_1 req_ssl_sni -i broker_1.mydomain.com

  # goto the broker
  use_broker broker_0 if acl_broker_0
  use_broker broker_1 if acl_broker_1

backend broker_0
  option tcpka
  timeout server 3h
  option ssl-hello-chk

  server server_mqtt  192.168.1.1:8883
  server server_websocket  192.168.1.1:9002

  # Choose server port depending  by chooing between mqtt protocol or websocket protocol
  use-server server_mqtt if HERE THE ALPN mqtt protocol check
  use-server server_websocket if HERE THE ALPN websocket protocol check

backend broker_1
  option tcpka
  timeout server 3h
  option ssl-hello-chk

  server server_mqtt  192.168.1.2:8883
  server server_websocket  192.168.1.2:9002

  use-server server_mqtt if HERE THE ALPN mqtt protocol check
  use-server server_websocket if HERE THE ALPN websocket protocol check

```



On 02 Jun 2015, at 00:27, Jan Weitz <me@xxxxxxxxxxx> wrote:


On 02 Jun 2015, at 00:19, Roger Light <roger@xxxxxxxxxx> wrote:

Hi Jan,

Ah well, I don't think I did too bad!

:)


My worst mistake there was that the ifdef you removed should be an ifndef. I don't suppose that matters for you though.

doh. I did not even figure that out. :)



Thanks again!


Cheers,

Roger



On Mon, Jun 1, 2015 at 11:11 PM, Jan Weitz <me@xxxxxxxxxxx> wrote:
Hi Roger,

thank you for your quick reply, and thank you for this great software!

Your patch almost worked, but the OpenSSL macro did not exist and I need this as on the client side (so I can use an Iphone and connect to a TLS mosquitto instance).

Please see the further very small changes on top of your patch against 1.4.2: https://gist.github.com/weitzj/18b07b7402bda937ef18

Actually there are 2 macros, to set the TLS extension. Either on the ssl instance or the ssl_ctx. Trying to use ssl_ctx did not work for me. So I stayed with your approach using the ssl instance.
I do not know whether this should be before or after the *big instance. It worked in both cases. So I put it before. Also I removed the WITH_BROKER ifdef, since I wanted to use the library to connect
from a client to a server.

If you are interested, where this all ends up you can check out: https://github.com/iosphere/MQTTKit/tree/feature/tls_mosquitto_1.4.2_SNI

Greetings,

Jan








On 01 Jun 2015, at 16:00, Roger Light <roger@xxxxxxxxxx> wrote:

Hi Jan,

It seems like it's quite easy. This is completely untested, but try http://h.ral.me/mqtt/sni.patch against 1.4.2.

Cheers,

Roger


On Mon, Jun 1, 2015 at 2:03 PM, Jan Weitz <me@xxxxxxxxxxx> wrote:
Hi,

does mosquitto_client support the TLS server_name extension (SNI)? 

My use case:

I want to run a mosquitto broker via the MQTT protocol as well the WEBSOCKET protocol on port 443 to keep firewalls happy.

But, I do not want to waste IP-Addresses for each protocol. The mosquitto library should be used from iOS to connect to the broker via SNI.

The broker setup:

I implement VirtualHosting by putting a bunch of independent mosquitto brokers behind a TCP load balancer (HAProxy), doing the SSL termination at each broker instead of the LoadBalancer. So I am using HAProxy as a SSL Relay.

Therefore, the mosquitto client( or every other MQTT client) has to set the ‘server_name’ in order for HAProxy to route to the correct backend server.

Is this already implemented in mosquitto so? Would it be hard to do?

It looks like the Golang mqtt client might already support this by setting the TLSConfig:



Thank you for your help,

Jan


A HAProxy config might look like this:

The mosquitto client might connect to `mqttproxy.mydomain.com` passing the server_name `broker_0_mqtt.mydomain.com` which will cause HAproxy to route the request to my first broker using the MQTT protocol.

Browsers already support SNI. So a browser might connect to `mqttproxy.mydomain.com` as well with the server_name `broker_0_websocket.mydomain.com` and will get the WEBSOCKET protocol.

```
frontend tlsrelay
  bind *:443
  maxconn 40000
  timeout client 3h
  option tcpka
  tcp-request inspect-delay 1s
  tcp-request content accept if { req_ssl_hello_type 1 }
  default_backend bk_tlsrelay

backend bk_tlsrelay
  option tcpka
  timeout server 3h
  option ssl-hello-chk

  acl acl_broker_0_mqtt req_ssl_sni -i broker_0_mqtt.mydomain.com
  acl acl_broker_0_websocket req_ssl_sni -i broker_0_websocket.mydomain.com
  acl acl_broker_1_mqtt req_ssl_sni -i broker_1_mqtt.mydomain.com
  acl acl_broker_1_websocket req_ssl_sni -i broker_1_websocket.mydomain.com

  server server_0_mqtt  192.168.1.1:8883
  server server_0_websocket  192.168.1.1:9002
  server server_1_mqtt  192.168.1.2:8883
  server server_1_websocket  192.168.1.2:9002

  use-server server_0_mqtt if acl_broker_0_mqtt
  use-server server_0_websocket if acl_broker_0_websocket
  use-server server_1_mqtt if acl_broker_1_mqtt
  use-server server_1_websocket if acl_broker_1_websocket
```

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev


_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

Back to the top