Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security Concerns

See original GitHub issue

Hello and thanks for all the great work! I am trying to get to grips with creating an encrypted MQTTnet server and there is barely anything in the GitHub wiki documentation on the proper way to do so. Nevertheless, I’ve scraped the issues section and managed to cobble together the following:

_MQTTCertificate =
    new X509Certificate2(path, password, X509KeyStorageFlags.Exportable);

var optionsBuilder = new MqttServerOptionsBuilder()
    .WithEncryptedEndpoint()
    .WithEncryptionCertificate(_MQTTCertificate.Export(X509ContentType.Pfx))
    .WithSubscriptionInterceptor(SubscriptionInterceptor);

    await _MQTTServer.StartAsync(optionsBuilder.Build());

which allows the MQTT server to start - so far, so well.

If a connection is then made using mosquitto_sub client without specifying any certificate, CA nor key:

mosquitto_sub -h MQTTNet.tld -p 8883 -t 'sometopic' -v

then MQTTnet will gladly accept the unencrypted connection and not even warn that the connection is not encrypted.

This is quite the security hazard given that all data flowing between the subscriber and the broker is very much plaintext and, in some cases, may contain sensitive information that can be sniffed right off the network - both the subscription topic and payload data are exposed.

Am I using MQTTnet correctly? If so, then why is MQTTnet accepting an unencrypted connection when it has been explicitly told not to do so? Is there some way to prevent this behaviour?

I can work around the issue by creating an SSL encrypted stream on top of all communication but shouldn’t encryption work with MQTTnet without having to resort to SslStream?

Furthermore, connecting with mosquitto_sub and specifying a CA, client certificate and a certificate key simply leads to mosquitto_sub bailing out with:

Error: A TLS error occurred.

I understand that the latter is a mosquitto_sub issue but I am unsure how to debug given that the connection is handled by MQTTnet internally. MQTTnet does not throw any elucidating errors when mosquitto_sub fails to connect.

Finally, I do not see a way to set the desired protocol version with MQTTnet - does it default to Tls1.2? mosquitto_sub is capable of Tls1, Tls1.1 and Tls1.2 - which one is then implied by MQTTnet if there is no way of selecting?

Thanks!

Issue Analytics

State:
Created 5 years ago
Reactions:1
Comments:5

Top GitHub Comments

3reactions

cxtalcommented, May 5, 2018

I’ll just post the rest here in case other people have the same issue with TLS and MQTTnet - perhaps someone will add the details to the wiki for others.

Generate the MQTTnet server certificates using OwnTracks:

wget https://github.com/owntracks/tools/blob/master/TLS/generate-CA.sh

You may need to comment out subjectAltName on certain OpenSSL versions:

--- generate-CA.sh~	2018-05-05 17:44:59.000000000 +0000
+++ generate-CA.sh	2018-05-05 17:46:17.000000000 +0000
@@ -181,7 +181,7 @@
 		%%% nsComment               = "Broker Certificate"
 		%%% subjectKeyIdentifier    = hash
 		%%% authorityKeyIdentifier  = keyid,issuer:always
-		%%% subjectAltName          = $ENV::SUBJALTNAME
+		%%% # subjectAltName          = $ENV::SUBJALTNAME
 		%%% # issuerAltName           = issuer:copy
 		%%% ## nsCaRevocationUrl       = http://mqttitude.org/carev/
 		%%% ## nsRevocationUrl         = http://mqttitude.org/carev/

Run:

chmod +x generate-CA.sh
generate-CA.sh SERVER_HOSTNAME

where SERVER_HOSTNAME MUST be the hostname of the server where the application using MQTTnet runs on.

This will generate ca.crt, ca.key, SERVER_HOSTNAME.crt and SERVER_HOSTNAME.key. Now convert the certificates to PFX with OpenSSL:

openssl pkcs12 -export -out server.pfx -inkey SERVER_HOSTNAME.key -in SERVER_HOSTNAME.crt

It will prompt for a password, so be creative - let’s say it’s going to be somepassword.

Now transfer server.pfx to the application using MQTTnet and initialise the MQTTnet server as follows:

_MQTTCertificate = new X509Certificate2(
    "server.pfx", 
    "somepassword", 
    X509KeyStorageFlags.Exportable
);

var options = new MqttServerOptions
{
    SubscriptionInterceptor = SubscriptionInterceptor,
    DefaultEndpointOptions =
    {
        IsEnabled = false
    },
    TlsEndpointOptions =
    {
        BoundIPAddress = address,
        Certificate = _MQTTCertificate.Export(X509ContentType.Pfx),
        Port = port,
        IsEnabled = true
    }
};

This will force MQTTnet to refuse insecure connections.

Now, for the client, generate client certificates [1]:

openssl genrsa -out client.key 2048
openssl req -new -out client.csr \
    -key client.key -subj "/CN=CLIENT_HOSTNAME"
openssl x509 -req -in client.csr -CA ca.crt \
    -CAkey ca.key -CAserial ./ca.srl -out client.crt \
    -days 3650 -addtrust clientAuth

where, again, CLIENT_HOSTNAME MUST be the hostname of the machine where your MQTT client resides.

Finally, you can test with mosquitto_sub:

mosquitto_sub -h SERVER_HOSTNAME -p PORT -t 'sometopic' -v --cafile ca.crt

where SERVER_HOSTNAME is the hostname of the application running MQTTnet, PORT is the port you chose to initialise MQTTnet and ca.crt was generated in the first steps.

[1] http://rockingdlabs.dunmire.org/exercises-experiments/ssl-client-certs-to-secure-mqtt

0reactions

SeppPennercommented, Jun 28, 2019

I’m closing this now. Feel free to open this if you still see any problems.

Top Results From Across the Web

Security Concern - an overview

Security Concern. A security zone is defined as any portion of a network that has specific security concerns or requirements. From: Eleventh Hour...

7 Types of Cyber Security Threats - Online Degree Programs

7 Types of Cyber Security Threats · 1. Malware · 2. Emotet · 3. Denial of Service · 4. Man in the Middle...

Top 10 Types of Information Security Threats for IT Teams

A security threat is a malicious act that aims to corrupt or steal data or disrupt an organization's systems or the entire organization....

Top Information Security Concerns for Researchers

Top Information Security Concerns for Researchers: Protecting Your Intellectual Assets · 1. What/Where is my research data? · 2. How sensitive is my...

Security concern definition and meaning

Security concern definition: Concern is worry about a situation. [...] | Meaning, pronunciation, translations and examples.