4

We are experimenting with MQTT in our project.

We have a secure connection to our mqtt broker, so mqtt over TLS (or mqtts) and we use a proper signed certificate (not self-signed) from a trusted source.

With some of our clients we have to pass the CA root certificate (of the certificate provider that signed our server certificate) to allow for a successful handshake procedure.

For example when using mosquitto:

# Publish
mosquitto_pub -h 'mqtt.example.com' -p 8883 --cafile "path/to/certificate/ca.pem" -u "username" -P "password" -t "planet/earth" -m "hello world"

# Subscribe
mosquitto_sub -h 'mqtt.example.com' -p 8883 -t "planet/earth" --cafile "path/to/certificate/ca.pem" -u "username" -P "password" -v -d

If we don't pass the CA-certificate in these examples above we cannot connect (connection is refused).

But when using this node MQTT client we don't need to pass the CA root certificate. Why not? I suspect that this node MQTT client uses the certificate store on my computer to validate our server certificate, but I cannot find any confirmation on this in the documentation.

I am careful and that is why I don't just want to jump to this conclusion, since there might as well be something wrong with the MQTT server/broker configuration that allows connecting without validating the server certificate properly?

So the question: does node-mqtt use the certificate store on my computer? Or does it have a store with trusted CA root certificates?

Anders
  • 64,406
  • 24
  • 178
  • 215
Wilt
  • 833
  • 1
  • 9
  • 13

1 Answers1

3

Lets start with TLS.

Certs to do two things Encrypt a connection and Validate authenticity of both sides of the connection. All major web browsers have a list of Certificate Authorities included by default (ex Firefox). These CAs are used to check all certs you generally come accost on the web. Likewise you also have a client side cert in your browser that is unique to you (unique to your session?), however, it is not signed by any type of CA and thus you have no way of proving to the HTTPS server that you are who you say you are.

It is possible to Verify the Identity of both sides of the TLS connection. In order to do this a HTTPS server has to be configured with a list of client side certs to trust ... or a "Root" cert that all client side certs are signed with (think internal network https for a company).

Node.js is based on chrome and like chrome it uses a list of Certificate Authorities ref ... from a brief skim of my google search this list is configurable within node.js itself.

When I have configured MQTT for TLS in the past I have always done self signed certs for encryption not caring too much about verification of identity ... I would assume that you can configure a list of Certificate Authorities or a Root Certificate, but it is a guess at best.

CaffeineAddiction
  • 7,517
  • 2
  • 20
  • 40
  • 2
    Thanks for your answer and your summary of TLS. I think I understood that part correctly. Your answer also contains [a link to](https://github.com/nodejs/node/issues/4175) what I was looking for. So NodeJS and its modules have access to [this hard-coded list of root certificates](https://github.com/nodejs/node/blob/master/src/node_root_certs.h) and the certificate from our certificate authority is indeed inside this list. This explains why we don't need to pass the certificate when connecting. Mosquitto apparently doesn't have such a list and that's why we need to pass it manually on connect. – Wilt Mar 03 '17 at 15:56