Comments (8)
savonarola
commented on July 22, 2024
3
As far as I understand, SNI should contain the exact host, not a wildcard to match: not *.xxx-config-store.szcvcy.memorydb.eu-central-1.amazonaws.com but clustercfg.xxx-config-store.szcvcy.memorydb.eu-central-1.amazonaws.com
from emqx.
savonarola
commented on July 22, 2024
Hello!
From v5.6.1 to v5.7.0 we didn't change redis-related connection settings. Can we check that v5.6.1 version still connects with the same tls settings? Wasn't the error caused by the very reconnection attempt?
from emqx.
johannesfknx
commented on July 22, 2024
@savonarola Thanks for your reply!
We rolled back to v5.6.1 and connection works fine. We also changed the version back and forth with the same settings. Connection only fails with v5.7.0.
from emqx.
johannesfknx
commented on July 22, 2024
Looking at the error message, it might be related to this cange: #12962
from emqx.
id
commented on July 22, 2024
@johannesfknx could you share cert from your MemoryDB instance with us? We'll try to reproduce the issue.
from emqx.
savonarola
commented on July 22, 2024
Yes, this is the default change for all clients making checking rules more strict.
ssl {
enable = true
verify = "verify_peer"
cacertfile = "/etc/ssl/certs/ca-certificates.crt"
}
Could you provide the full authorization section of the config?
Also, what is
- the hostname to which EMQX connects
- the CN's provided by the host certificate
from emqx.
johannesfknx
commented on July 22, 2024
emqx.conf
node {
name = "[email protected]" # this is overwritten with an env variable
cookie = "emqxsecretcookie" # this is overwritten with an env variable
data_dir = "data"
}
cluster {
name = emqxcl
discovery_strategy = manual # this is overwritten with an env variable
}
dashboard {
listeners.http {
bind = 18083
}
}
authentication = [{
auto_reconnect = true
backend = "redis"
cmd = "HMGET api:emqx:v0:mqtt_user:$${username} password salt"
mechanism = "password_based"
password_hash_algorithm {
dk_length = 64
iterations = 10000
mac_fun = "sha512"
name = "pbkdf2"
}
pool_size = 8
redis_type = "cluster"
servers = "$${var.cluster.config_redis_address}" # this is overwritten with an env variable
ssl {
enable = true
verify = "verify_peer"
cacertfile = "/etc/ssl/certs/ca-certificates.crt"
}
}]
authorization {
cache {
enable = true
max_size = 20000
ttl = 30m
}
deny_action = "disconnect"
no_match = "deny"
sources = [
{
auto_reconnect = true
cmd = "HGETALL api:emqx:v0:mqtt_acl:$${username}"
pool_size = 8
redis_type = "cluster"
servers = "$${var.cluster.config_redis_address}" # this is overwritten with an env variable
ssl {
enable = true
verify = "verify_peer"
cacertfile = "/etc/ssl/certs/ca-certificates.crt"
}
type = "redis"
}
]
}
telemetry {enable = false}
flapping_detect {
enable = true
## The max disconnect allowed of an MQTT Client in `window_time`
max_count = 10
## The time window for flapping detect
window_time = 1m
## How long the clientid will be banned
ban_time = 5m
}
# When a client subscribes with a wildcard topic, the server will send all matching retained messages at once, leading to a force shutdown of the connection
# this will trigger a reconnect on the client side and the server will send the retained messages again and again and thus create much load on the broker
# therefore, it is better to disable the force shutdown
force_shutdown {enable = false}
with
EMQX_AUTHENTICATION__1__SERVERS : clustercfg.xxx-config-store.szcvcy.memorydb.eu-central-1.amazonaws.com:6379
EMQX_AUTHENTICATION__1__SSL__SERVER_NAME_INDICATION : *.xxx-config-store.szcvcy.memorydb.eu-central-1.amazonaws.com
EMQX_AUTHORIZATION__SOURCES__1__SERVERS : clustercfg.xxx-config-store.szcvcy.memorydb.eu-central-1.amazonaws.com:6379
EMQX_AUTHORIZATION__SOURCES__1__SSL__SERVER_NAME_INDICATION : *.xxx-config-store.szcvcy.memorydb.eu-central-1.amazonaws.com
Cert:
Server certificate
subject=CN = *.xxx-config-store.szcvcy.memorydb.eu-central-1.amazonaws.com
issuer=C = US, O = Amazon, CN = Amazon RSA 2048 M02
Let me know if you need more information.
from emqx.
zmstone
commented on July 22, 2024
Not the first time to see people end up confusing wildcard certificate with SNI.
Some learning material: https://www.cloudflare.com/learning/ssl/what-is-sni/
To put it simple, SNI is the server's name (indicator) which is sent by the client to the server.
The server takes it to figure out which name the client used to address the server.
Most of the time, SNI is exactly the FQND the client uses to connect the server.
However, technically SNI can be anything, it's just * is most likely not going to work because in no way it's a "indicator"
from emqx.
Related Issues (20)
- Placeholders such as ${cert_subject} in JWT AuthN do not work HOT 4
- SSL listener's check for "CA Cert" HOT 5
- The statistics of disconnection reasons do not include malformed packets HOT 3
- Clearer disconnection reasons
- Add "topic_subscribe_filter" field to JWT ACL (or some acl behavior like this) HOT 21
- Add curl to docker image HOT 5
- 消息重传机制只会在重连的时候触发么 HOT 3
- api/v5/prometheus/stats not have erlang_vm_* 指标没了吗? HOT 3
- 延迟subscribe可能导致消息消费不到 HOT 6
- runq_overload alert on using MongoDB for authz/authn and also alert gets stuck for days sometimes HOT 5
- Helm Chart: MQTT ingress proxies HTTP to MQTT port HOT 4
- docker can't pull emqx:5.7.0 HOT 3
- Connect to ws emqx and the respons is 400 bad request HOT 1
- The client is powered off, but one month later EMQX still shows that the client is connected HOT 3
- bad_cert,hostname_check_failed HOT 5
- Plugin hook points not called when auto-booting plugin in a cluster HOT 5
- The retained message function in EMQX is controlled by two switches
- emqx_authn_pgsql resource down: unknown reason HOT 6
- Setting hibernate_after for tcp connection HOT 2
- Return wrong Receive Maximum
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from emqx.