Can I use certificate based encryption with Eclipse-Mosquitto and Dynamic Security plugin

Question

For context, I am using Eclipse Mosquitto broker and would like my clients to connect via TSL/SSL (so both server and client provide certificate). Also, I would like my broker configuration to be dynamic for which I would like to use dynamic-security plugin.

I've studied the dynamic-security plugin documentation and it seems to me that dynamic-security plugin does not support using certificate based encryption as there is no option besides providing username/password when creating the new client. From here the command to add new client is as follows:

{
        "command": "addUser",
        "username": "",                 # Required
        "password": "",                 # Required, must not be empty.
        "clientid": "",                 # Optional, if empty then any client id is valid for 
                                        # this username. If not empty, then only a specific 
                                        # clientid may use this username.
        "policyName": "",               # Optional, if empty or omitted then use the default 
                                        # user policy
},

As can be seen the username and password are required, not optional. So seems to me that I cannot define clients which would connect using certificates. Is this correct and if not then is there somewhere documentation on how to use certifcate based authentication with dynamic-security plugin?

Answer 1

Assuming you mean certificate based authentication when you said "certificate based encryption"

Then the following 2 configuration option will help:

• use_subject_as_username
• use_identity_as_username

These will use with the whole Subject or just the CN value of the client certificate as the username when a new client connects.

Both options are clearly explained in the mosquitto.conf man page available here

You should be able also set an arbitrary password iirc