Feature request - MQTT Client Certificate Authentication (MTLs)

[Daniel-dev22]

I took a look at the mqtt configuration in this library and I don't see any mechanism to connect to mqtt via certificate authentication otherwise known as MTLs. Unless I'm mistaken.

This addition would greatly enhance security. It should be implemented in a way that it's optional to use but for those that have certificate authentication setup this provides additional security.

Quick background on client certificate authentication.
https://www.ibm.com/docs/en/ibm-mq/9.2?topic=authentication-mqtt-client-using-tls

I'm more familiar with the python paho mqtt implementation so I'll provide some links to those projects where I helped get MTLs support added as a reference.

jgyates/genmon#1006
bkbilly/lnxlink#87

Happy to help answer any questions on how this works if needed as well.

[scaprile]

We do support client certificate authentication by using two-way TLS. Authentication is done at the TLS level, either by our built-in TLS or by OpenSSL, WolfSSL, MbedTLS.

[Daniel-dev22]

@scaprile I'm referring to MQTT Certificate Authentication though.

Are you saying you support that?

[Daniel-dev22]

This is paho mqtt implementation of client certiticate authentication
https://eclipse.dev/paho/files/paho.mqtt.python/html/client.html#paho.mqtt.client.Client.tls_set

[scaprile]

I think you are confusing what a computer application does with how a communications stack works.
AFAIK there is no such thing as MQTT Certificate Authentication, the security chapter in both MQTT 3.1.1 and MQTT 5.0 is non-normative, and they suggest using TLS. What you are referring to is TLS mutual authentication, also known as 2-way authentication.
MQTT runs on top of TCP. If you want, you can run an intermediate session layer, TLS, and configure to authenticate the server, or both server and client.
And, BTW, Mongoose is not a computer application.
https://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html
https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html
https://mongoose.ws/documentation/tutorials/tls/
https://mongoose.ws/documentation/tutorials/tls/#two-way-tls

mongoose/tutorials/mqtt/mqtt-client/main.c

Lines 31 to 36 in b566b8b

	} else if (ev == MG_EV_CONNECT) {
	if (mg_url_is_ssl(s_url)) {
	struct mg_tls_opts opts = {.ca = mg_unpacked("/certs/ca.pem"),
	.name = mg_url_host(s_url)};
	mg_tls_init(c, &opts);
	}

just add the client cert as described in the tutorial above:

  struct mg_tls_opts opts = {.ca = mg_unpacked("/certs/ca.pem"),
                             .cert = mg_unpacked("/certs/client_cert.pem"),
                             .key = mg_unpacked("/certs/client_key.pem")};

[Daniel-dev22]

MQTT itself is handling certificate authentication to validate clients auth. Not an external application like a reverse proxy or otherwise.

I'm using client certificate authentication with mqtt right now.

This is what my broker configuration looks like

listener 8883 0.0.0.0

tls_version tlsv1.3

cafile /mosquitto/cert/ca.pem
keyfile /mosquitto/cert/client-key.pem
certfile /mosquitto/cert/client.pem
require_certificate true

When the client connects to the broker it must have a CA cert, client cert and client key. Then the mqtt broker validates the client cert + client key and the client validates the certificate presented by the broker with the CA cert.

This is what I'm referring to.

https://www.hivemq.com/blog/mqtt-security-fundamentals-x509-client-certificate-authentication/

http://www.steves-internet-guide.com/creating-and-using-client-certificates-with-mqtt-and-mosquitto/

[scaprile]

No, that is MQTT over TLS over TCP. and we already support that. You confuse what a computer program does with how systems and communications stacks work.
It is not MQTT that does that, it is the application that starts a TLS session when accepting a TCP connection at port 8883
The client responds and starts the TLS session and after that a regular MQTT login takes place.

See how we handle AWS https://mongoose.ws/documentation/tutorials/mqtt/mqtt-client-aws-iot/ (in addition to all linked and explained above)

Furthermore, this is a one-way example, it can be done mutual/two-way by following indications above or observing the AWS tutorial. We don't connect to HiveMQ because it doesn't yet support TLS1.3, while our built-in stack is 1.3. You can also use MbedTLS or OpenSSL or WolfSSL, as I already told you.

mongoose/tutorials/tcpip/pcap-driver/main.c

Lines 9 to 86 in b566b8b

	#define MQTT_URL "mqtt://broker.emqx.io:1883" // MQTT broker URL
	#define MQTTS_URL "mqtts://mongoose.ws:8883" // HiveMQ does not TLS1.3
	#define MQTT_TOPIC "mg/rx" // Topic to subscribe to
	// // Taken from broker.emqx.io
	static const char *s_ca_cert =
	"-----BEGIN CERTIFICATE-----\n"
	"MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw\n"
	"TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n"
	"cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4\n"
	"WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu\n"
	"ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY\n"
	"MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc\n"
	"h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+\n"
	"0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U\n"
	"A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW\n"
	"T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH\n"
	"B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC\n"
	"B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv\n"
	"KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn\n"
	"OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn\n"
	"jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw\n"
	"qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI\n"
	"rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\n"
	"HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq\n"
	"hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL\n"
	"ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ\n"
	"3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK\n"
	"NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5\n"
	"ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur\n"
	"TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC\n"
	"jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc\n"
	"oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq\n"
	"4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA\n"
	"mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\n"
	"emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\n"
	"-----END CERTIFICATE-----\n";
	// "-----BEGIN CERTIFICATE-----\n"
	// "MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh"
	// "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
	// "d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH\n"
	// "MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT\n"
	// "MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n"
	// "b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG\n"
	// "9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI\n"
	// "2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx\n"
	// "1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ\n"
	// "q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz\n"
	// "tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ\n"
	// "vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP\n"
	// "BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV\n"
	// "5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY\n"
	// "1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4\n"
	// "NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG\n"
	// "Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91\n"
	// "8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe\n"
	// "pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl\n"
	// "MrY=\n"
	// "-----END CERTIFICATE-----\n";
	static const char *s_tls_cert =
	"-----BEGIN CERTIFICATE-----\n"
	"MIIBMTCB2aADAgECAgkAluqkgeuV/zUwCgYIKoZIzj0EAwIwEzERMA8GA1UEAwwI\n"
	"TW9uZ29vc2UwHhcNMjQwNTA3MTQzNzM2WhcNMzQwNTA1MTQzNzM2WjARMQ8wDQYD\n"
	"VQQDDAZzZXJ2ZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASo3oEiG+BuTt5y\n"
	"ZRyfwNr0C+SP+4M0RG2pYkb2v+ivbpfi72NHkmXiF/kbHXtgmSrn/PeTqiA8M+mg\n"
	"BhYjDX+zoxgwFjAUBgNVHREEDTALgglsb2NhbGhvc3QwCgYIKoZIzj0EAwIDRwAw\n"
	"RAIgTXW9MITQSwzqbNTxUUdt9DcB+8pPUTbWZpiXcA26GMYCIBiYw+DSFMLHmkHF\n"
	"+5U3NXW3gVCLN9ntD5DAx8LTG8sB\n"
	"-----END CERTIFICATE-----\n";
	static const char *s_tls_key =
	"-----BEGIN EC PRIVATE KEY-----\n"
	"MHcCAQEEIAVdo8UAScxG7jiuNY2UZESNX/KPH8qJ0u0gOMMsAzYWoAoGCCqGSM49\n"
	"AwEHoUQDQgAEqN6BIhvgbk7ecmUcn8Da9Avkj/uDNERtqWJG9r/or26X4u9jR5Jl\n"
	"4hf5Gx17YJkq5/z3k6ogPDPpoAYWIw1/sw==\n"
	"-----END EC PRIVATE KEY-----\n";

mongoose/tutorials/tcpip/pcap-driver/main.c

Lines 172 to 175 in b566b8b

	} else if (ev == MG_EV_CONNECT && c->fn_data != NULL) {
	struct mg_tls_opts opts = {.ca = mg_str(s_ca_cert),
	.name = mg_url_host(MQTTS_URL)};
	mg_tls_init(c, &opts);