rumqttd: client certs should be configurable

[nathansizemore]

Expected Behavior

To be able to use rustls for tls option and not require client certs.

Current Behavior

All tls connections for rustls are required to client cert.

Context

Client cert tls is the minority of tls sessions in the wild. It should not be the default, or mandated, to be able to use rustls.

[swanandx]

Hey @nathansizemore , I just wanted to check if I understood the issue correctly, plz correct me if i got something wrong!

• by "not require client certs" you actually mean not requiring client cert verification!
• by "Client cert tls" you mean mutual TLS ( verifying client cert )

How we can disable client cert verification:

• by making CA certs optional
• or we can add an extra feature / configuration flag, so that we can explicitly disable client cert verification ( even if CA cert is provided ).

Can you please elaborate more on the issue, thank you so much!

[nathansizemore]

Let me rephrase...

Right now, rumqttd provides two types of TLS:

• Standard TLS where the client verifies the server is trusted
• Mutual TLS/TLS with Client Authentication/whatever fancy name where both verify.

rumqttd should allow the user to determine how TLS is setup first, and second the provider (rustls v native). Right now, it only allows you to choose whether you want to use TLS through rustls or native. Which an unknown side effect of that is if you pick rustls, you are forced to used mTLS. If you pick native, you are forced to use standard TLS.

The patch I provided is just the minimum to allow use of rustls with standard tls flow. For complete parity:

• Config should have the CA field as optional, but required when compiling with validate-tenant-prefix. If the CA field is present, mTLS flow is used.
• Native and rustls impls should be the same. Otherwise, why support both? Mutual TLS has been there forever, there is no reason only rustls should have that option.
• Right now, when using rustls, tenant_id is pulled from the client cert. This seems like a bug in rumqttd features, since it should only apply when validate-tenant-prefix feature is used. This should be fixed so that validate-tenant-prefix requires that mutual tls be used, which should also flip the CA field in the config to be forced.

[swanandx]

gotcha! so we have two different things to do to tackle this two issues:

• making CA optional ( so mTLS is optional )
• feature gate extract_tenant_id logic under validate-tenant-prefix

right? @de-sh suggested we should tackle this in different PRs for each, would you please update the PR #748 accordingly or shall I do it? Thank you so much 💯

[nathansizemore]

As said in the PR, I won't be making anymore contributions to it. Code that does both of these is there, feel free to use it if you want.

You can't do them in separate PRs without breaking things, or making a weird interim feature API.

CA cannot be optional until tentant_id is under validate-tenant-prefix. If you do validate-tenant-prefix first, that feature has to be combined with rusttls to still maintain the current behavior.

[de-sh]

@nathansizemore Thanks for opening the issue, I have opened a PR to solve this without increasing the complexity of code, please validate if this fixes the problem you are facing.

[nathansizemore]

@nathansizemore Thanks for opening the issue, I have opened a PR to solve this without increasing the complexity of code, please validate if this fixes the problem you are facing.

Putting it behind a feature looks good.

[swanandx]

closing this as #756 is merged 🎉 Thanks everyone for your contribution!