No CRL check is happening when connecting via websockets with revoked client certificate

simplementos · April 18, 2024, 7:44am

I have such mosquitto configuration:

log_type error
log_type warning
log_type notice
log_type information
log_dest file /logpath

listener 9005
protocol websockets
cafile /cafilepath

certfile /certfilepath

keyfile /keyfilepath

crlfile /crlfilepath

require_certificate true

use_identity_as_username true

When i connect to local mosquitto using client certificates which are revoked, no CRL check by mosquitto is happening.

If I change configuration protocol to just mqtt, CRL check works.

So, 1) My configuration could be wrong, and something is missing for configuring CRL check via websockets
2) CRL check via websockets doesn’t work in mosquitto

Have anyone bumped into this issue?

roger.light · April 18, 2024, 12:37pm

Hi,

Unfortunately libwebsockets, the library that mosquitto 2.0 uses for websockets support, doesn’t support CRL checks.

This will change in 2.1 when websockets is handled by mosquitto itself.

Regards,

Roger

simplementos · April 18, 2024, 1:07pm

Thanks Roger, now I can move on and live in peace.

Have a nice one!

simplementos · April 18, 2024, 1:12pm

Also, by any chance, do you know when v2.1 is scheduled?

Topic		Replies	Views
Still being able to connect to broker after enabling require_certificate Community Q&A	3	3669	August 18, 2021
Mosquitto broker WSS connection not working Community Q&A	2	736	December 7, 2021
TLS works, but breaks ACL Mosquitto MQTT Broker	3	642	January 10, 2023
Configurate Mosquitto Broker to work over ssl inside a local private network Community Q&A	5	538	October 13, 2021
Unable to create websockets listener when configed Certificate based SSL/TLS Community Q&A	1	264	June 3, 2023

No CRL check is happening when connecting via websockets with revoked client certificate

Related Topics