Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] Mosquitto supports TPM 2.0 on Windows?

Hi Terry,

Sorry for not replying earlier - this isn't an area I have a great
deal of experience. I've been looking into it but don't think I can
offer any solid advice.

If you do get it all working, please let us know what you did.

Regards,

Roger

On Thu, 11 Aug 2022 at 22:05, <terryatsnort@xxxxxxxxxxx> wrote:
>
> Dear the team,
>
> Just wondering if anyone could help on configuring Mosquitto to use Windows TPM?
>
> Thanks and Regards,
> Terry
> ________________________________
> From: mosquitto-dev <mosquitto-dev-bounces@xxxxxxxxxxx> on behalf of Didi Key <terryatsnort@xxxxxxxxxxx>
> Sent: Monday, August 1, 2022 11:12 AM
> To: mosquitto-dev@xxxxxxxxxxx <mosquitto-dev@xxxxxxxxxxx>
> Subject: [mosquitto-dev] Mosquitto supports TPM 2.0 on Windows?
>
> Dear the team,
>
> G'day!
>
> Here I'd like your help to find out:
>
> if Mosquitto v2.0.14 supports using TPM as OpenSSL's engine on Windows, when TLS is required?
> if yes, then how to configure the broker (for telling Mosquitto to load private key information from TPM instead of a local private key file)?
>
> I noticed that related change (of support TPM) was introduced in Aug 2018, by this commit:
>
> Author:            Nicolás Pernas Maradei <nicopernas@xxxxxxxxx>
> Author date:      4 years ago (12/08/2018 2:57:58 AM)
> Committer:        Roger A. Light <roger@xxxxxxxxxx>
> Commit date:      3 years ago (27/02/2019 2:50:37 AM)
> Commit hash:      20894fcbce661d50f77c49b132dedea4cdc1f5a0
> Parent:                 d5f039ec
>
> The change is to allow using the following options in configuration file to load private key (instead of reading a private key file on the disk)
>
> https://mosquitto.org/man/mosquitto-conf-5.html
> keyfile file path
>
> Path to the PEM encoded server key. This option and certfile must be present to enable certificate based TLS encryption.
>
> The private key pointed to by this option will be reloaded when Mosquitto receives a SIGHUP signal. This can be used to load new keys prior to the existing ones expiring.
>
> require_certificate [ true | false ]
>
> By default an SSL/TLS enabled listener will operate in a similar fashion to a https enabled web server, in that the server has a certificate signed by a CA and the client will verify that it is a trusted certificate. The overall aim is encryption of the network traffic. By setting require_certificate to true, a client connecting to this listener must provide a valid certificate in order for the network connection to proceed. This allows access to the broker to be controlled outside of the mechanisms provided by MQTT.
>
> tls_engine engine
>
> A valid openssl engine id. These can be listed with openssl engine command.
>
> tls_engine_kpass_sha1 engine_kpass_sha1
>
> SHA1 of the private key password when using an TLS engine. Some TLS engines such as the TPM engine may require the use of a password in order to be accessed. This option allows a hex encoded SHA1 hash of the password to the engine directly, instead of the user being prompted for the password.
>
> tls_keyform [ pem | engine ]
>
> Specifies the type of private key in use when making TLS connections.. This can be "pem" or "engine". This parameter is useful when a TPM module is being used and the private key has been created with it. Defaults to "pem", which means normal private key files are used.
>
>
> Though, I couldn't find any detailed instructions on the internet (or in the mailinglist here); has anyone done similar setup on Windows using TPM? I'd like to understand more for the questions below:
>
> How to set OpenSSL engine to use TPM as its engine?
> Do we need any 3rd party component to enable Mosquitto using TPM?
> Like this one: https://github.com/tpm2-software/tpm2-openssl "Provider for integration of TPM 2.0 to OpenSSL 3.0"
> But this supports OpenSSL v3.0 only
> If everything works, then what should be specified for the "keyfile" option?
> The source code indicates that we need to pass in this information, but what should it be when using TPM?
>
> https://github.com/eclipse/mosquitto/blob/master/src/net.c#L548
>
> Any advice on this are really appreciated; or if not using TPM, how do you protect the private key file (as best practice) when using TLS? Thank you very much!
>
> Thanks and Regards,
> Terry
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev


Back to the top