Comments (10)
@zmstone I don't think so, the default value of this option in the configuration file is also false.
We can change default value from backend, but frontend is independent implementation.
from emqx.
Here is my proposal.
In 5.8, we will only expose "verify peer" option in config and in dashboard, always force client to send certificate when "verify_peer".
For backward compatibility, we will hide fail_if_no_peer_cert
from backend schema.
from emqx.
Here is my proposal. In 5.8, we will only expose "verify peer" option in config and in dashboard, always force client to send certificate when "verify_peer". For backward compatibility, we will hide
fail_if_no_peer_cert
from backend schema.emmm What happens to listeners that had
fail_if_no_peer_cert
set to false?
it will be discarded
from emqx.
@ysfscream this is more of a frontend enhancement?
from emqx.
Why do we even have this option? Is there a scenario when a user may want to allow plain tcp connection on SSL port?
from emqx.
@zmstone I don't think so, the default value of this option in the configuration file is also false.
from emqx.
Why do we even have this option? Is there a scenario when a user may want to allow plain tcp connection on SSL port?
Good point.
from emqx.
@id When fail_if_no_peer_cert
is false, the client still establishes a TLS connection to the server, it just won't be asked for a client certificate.
The only scenario I can think of is that all the user's clients access from the same TLS port, some of them provide client certificates for two-way authentication, and these clients will skip the password authentication of EMQX. The other part does not provide client certificates, after establishing a TLS connection, they must pass password authentication to actually access EMQX.
However, I think only HTTP authentication currently supports this process.
from emqx.
Here is my proposal. In 5.8, we will only expose "verify peer" option in config and in dashboard, always force client to send certificate when "verify_peer". For backward compatibility, we will hide
fail_if_no_peer_cert
from backend schema.
emmm What happens to listeners that had fail_if_no_peer_cert
set to false?
from emqx.
Why do we even have this option? Is there a scenario when a user may want to allow plain tcp connection on SSL port?
Peer sending its cert is sometimes optional for TLS client (not limited to MQTT).
from emqx.
Related Issues (20)
- SSL listener's check for "CA Cert" HOT 5
- The statistics of disconnection reasons do not include malformed packets HOT 3
- Clearer disconnection reasons
- Add "topic_subscribe_filter" field to JWT ACL (or some acl behavior like this) HOT 21
- Add curl to docker image HOT 5
- 消息重传机制只会在重连的时候触发么 HOT 3
- api/v5/prometheus/stats not have erlang_vm_* 指标没了吗? HOT 3
- 延迟subscribe可能导致消息消费不到 HOT 6
- runq_overload alert on using MongoDB for authz/authn and also alert gets stuck for days sometimes HOT 5
- Helm Chart: MQTT ingress proxies HTTP to MQTT port HOT 4
- docker can't pull emqx:5.7.0 HOT 3
- Connect to ws emqx and the respons is 400 bad request HOT 1
- The client is powered off, but one month later EMQX still shows that the client is connected HOT 3
- bad_cert,hostname_check_failed HOT 5
- Plugin hook points not called when auto-booting plugin in a cluster HOT 5
- The retained message function in EMQX is controlled by two switches
- emqx_authn_pgsql resource down: unknown reason HOT 4
- Setting hibernate_after for tcp connection HOT 2
- Return wrong Receive Maximum
- The message queue size may exceed the maximum limit after setting topic priority
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from emqx.