Comments (2)
Hi!
There might be several issues, but I can try suggesting some stuff.
public bool ValidateCertificates(MqttClientCertificateValidationEventArgs args)
{
var chain = new X509Chain();
chain.ChainPolicy = new X509ChainPolicy
{
DisableCertificateDownloads = true,
RevocationFlag = X509RevocationFlag.EndCertificateOnly,
RevocationMode = X509RevocationMode.NoCheck,
TrustMode = X509ChainTrustMode.CustomRootTrust,
UrlRetrievalTimeout = new TimeSpan(0, 0, 0),
VerificationFlags = X509VerificationFlags.NoFlag,
VerificationTime = DateTime.Now,
VerificationTimeIgnored = false,
CustomTrustStore = { _signingCertificates.ToList()[0] }
};
chain.ChainPolicy.ExtraStore.AddRange(_signingCertificates);
return chain.Build(new X509Certificate2(_clientCertificate));
}
This is a custom callback that validates my tls1.3 certs, the custom trust store has the ca_cert as an X509Xertificate2 and the client certificate is the .pfx generated.
This could in turn be used with the MqttClientOptionsBuilder
.WithTlsOptions(opts =>
{
opts.WithClientCertificates(_provider.GetCertificates());
opts.WithSslProtocols(SslProtocols.Tls13);
opts.UseTls();
opts.WithCertificateValidationHandler(_provider.ValidateCertificates);
opts.Build();
})
The GetCertificates is pretty much
return new[] { _clientCertificate };
Which is the .pfx file.
Another thing that might of interest to check out is the way your operating system handles certificates, I use linux and I pretty much deploy the ca_cert to the certificate store
sudo update-ca-certificates --fresh
sudo cp ca/certificate.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
I assume that you are using windows so I am not familiar with how windows handles that so you might have to dig a little bit.
from mqttnet.
Hi @glwalsh
Can you provide the error messages?
I'd suggest the next steps:
1. Validate server TLS certificate
you only need to load the CAfile and use tlsOptions.WithTrustChain()
, note that if your CA does not provide revocation endpoints, you might also need to use tlsOptions.WithRevocationMode(X509RevocationMode.NoCheck)
2. Configure the client certificate for authentication
first, you dont need to convert your pem/key files to pfx, as you can load the cert with X509Certificate2.CreateFromPemFile(certFile, keyFile)
, however there is this issue in .NET that requires to export/import the cert before using with new X509Certificate2(cert.Export(X509ContentType.Pkcs12)
second, you can load the client certificates in tlsOptions with
List<X509Certificate2> certs = new();
var cert = X509Certificate2.CreateFromPemFile(certFile, keyFile);
certs.Add(new X509Certificate2(cert.Export(X509ContentType.Pkcs12));
tlsOptions.WithClientCertificates(certs)
There is sample targeting mosquitto in https://github.com/Azure-Samples/MqttApplicationSamples/tree/main/scenarios/getting_started
from mqttnet.
Related Issues (20)
- nuget version of MQTTnet.Extensions.TopicTemplate is not up to date HOT 2
- Dose MQTTnet support Native AOT? HOT 1
- Reopen: nuget version of MQTTnet.Extensions.TopicTemplate is not up to date HOT 5
- When using InjectApplicationMessage the client does not receive any message when the topic starts with `$` HOT 5
- How to reconnect properly HOT 2
- sendmessage and mqtt service return function_clause
- Server subscriber sessions hash set can contain sessions with no subscriptions
- how to unsubscibe all topics HOT 1
- Enhancements for the MqttPacketIdentifierProvider HOT 2
- Can support save session to disk or database HOT 1
- Timing of ConnectAsync HOT 1
- Example of WebSocket broker from wiki does not work HOT 3
- MqttNet Connection not established after the Mqttnet Client is Disposed. in MQTTNet Version 4.3.3.952
- MqttClientFactory not fount in MQTTnet.4.3.6.1152 HOT 2
- How to start a MQTT Broker with WebSocket support in .NET Framework 4.6.1? HOT 1
- MQTTClient Thread-safety: Publishing HOT 4
- MQTTClient Thread-safety: Publishing
- Received packet 'PubAck: [PacketIdentifier=6538] [ReasonCode=Success]' at an unexpected time. HOT 3
- ReuseAddress option on Client Socket (as well).
- Certificate Authentication using PFX in .NET472 To Azure HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mqttnet.