OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

mqtt message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] (MQTT-251) Return server assigned client id to client

    [ https://issues.oasis-open.org/browse/MQTT-251?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=59455#comment-59455 ] 

Paul Fremantle commented on MQTT-251:

There are a number of security issues that arise from the behaviour that a client gets replaced if another client with the same id connects.

In particular, a common way of sending messages targeted to a single client is to embed the clientid in a topic name: e.g.


And then creating a security access control rule that says only {client-x} can subscribe to /clients/{client-x}

Mosquitto for example makes this possible with a special ACL rule %c.

However, if another client spoofs the clientid then they can access messages. 

One way of mitigating that is if the server generates the clientid randomly. However, the topic model doesn't work in this case (currently) because the client does not know its own client ID and therefore cannot subscribe to the topic /client/{clientid}

Therefore I think it is important that the client can have the clientid returned to it. 

> Return server assigned client id to client
> ------------------------------------------
>                 Key: MQTT-251
>                 URL: https://issues.oasis-open.org/browse/MQTT-251
>             Project: OASIS Message Queuing Telemetry Transport (MQTT) TC
>          Issue Type: Improvement
>          Components: futures
>            Reporter: Allan Stockdill-Mander 
> In the 3.1.1 specification section http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#_Toc398718031 it is permitted for a client to connect with a zero length client id, the server internally uses a unique identifier for that client but the client does not know the idenfitier and is required to connect with clean session true.

This message was sent by Atlassian JIRA

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]