Comments (4)
maybe change error
to info
as SSL will search for cacert from OS dir with {cacerts, public_key:cacerts_get()}
from emqx.
@qzhuyan I think you mean that for two-way authentication, it is allowed not to explicitly set CACert, so that EMQX can find it from the OS dir and provide clear info logs.
For one-way authentication, CACert is not needed at all, and even if it is set, it will not be used, so there should be no logs, not even info level.
Do I understand correctly?
from emqx.
After I double checked, I think current behaviour is ok as in schema cacertfile
is not required
.
So if it is set, EMQX must find it otherwise error log it.
Other features like check the configuraiton combination of verify_peer
, partial_chain
and cacerts
is new feature, there will be many branches, to me it is over engineering but let Product to decide if we really need it and study it first.
BTW, disabling verify_peer
will not prevent TLS client sending its cert to EMQX according to standard, the client cert can be used in other subsystem like AUTHN but EMQX need to ensure the cert is readable from lower layer.
from emqx.
So if it is set, EMQX must find it otherwise error log it.
I agree that EMQX must ensure that the specified file exists.
But in the current implementation, even if I don't set the CA Cert, EMQX will try to find this file (I'm not sure what EMQX is looking for at this time), and then throw an error log.
Let me sort out my expectations:
verify_peer
is disabled, andCA Cert
is not set, EMQX should not output error logs (Now it will)verify_peer
is disabled, andCA Cert
is set, EMQX will confirm whether the file exists and output an error log if it does not exist.verify_peer
is enabled,CA Cert
must be set, otherwise it will be considered an incorrect configuration.
1 and 3 are not the current behavior of EMQX.
from emqx.
Related Issues (20)
- Connector to MQTT host fails with bad username/password, other clients connect normally HOT 2
- But I found that it was sent successfully, and I also subscribed to this topic. Should return 200 and messageid HOT 1
- Feature Request: Add exact_match Parameter to JWT ACL HOT 17
- The unit of max packet size is wrong
- Default Value of fail_if_no_peer_cert HOT 10
- Backup and Restore | Rule Configuration Missing
- Placeholders such as ${cert_subject} in JWT AuthN do not work HOT 4
- The statistics of disconnection reasons do not include malformed packets HOT 3
- Clearer disconnection reasons
- Add "topic_subscribe_filter" field to JWT ACL (or some acl behavior like this) HOT 21
- Add curl to docker image HOT 5
- 消息重传机制只会在重连的时候触发么 HOT 3
- api/v5/prometheus/stats not have erlang_vm_* 指标没了吗? HOT 3
- 延迟subscribe可能导致消息消费不到 HOT 5
- runq_overload alert on using MongoDB for authz/authn and also alert gets stuck for days sometimes HOT 1
- Helm Chart: MQTT ingress proxies HTTP to MQTT port HOT 2
- docker can't pull emqx:5.7.0 HOT 3
- Connect to ws emqx and the respons is 400 bad request HOT 1
- The client is powered off, but one month later EMQX still shows that the client is connected
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from emqx.