Major Description
As discussed in the user mailing list, the MQTT broker fails to sent the provided will message when using mutual TLS.
set-up for testing:
- ActiveMQ Artemis 2.33 as MQTT broker
- Artemis runs on jdk-21
- clients are authenticated using mutual TLS
- certificate DN is used to map to a user and eventually to the configured roles
issue:
During testing we discovered, that the provided will message is not sent as expected. We got the following error messages:
WARN [org.apache.activemq.artemis.core.server] AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from / 127.0.0.1:51770. Username: null; SSL certificate subject DN: unavailable ERROR [org.apache.activemq.artemis.core.protocol.mqtt] AMQ834007: Authorization failure sending will message: AMQ229031: Unable to validate user from / 127.0.0.1:51770. Username: null; SSL certificate subject DN: unavailable
I did some research in the code base. The class org.apache.activemq.artemis.core.remoting.CertificateUtil retrieves the certificate subject DN based on the actual client certificate provided by an existing connection. When trying to send a mqtt will message, there is no connection to the client anymore. Consequently, the broker fails to get the DN. Since the subject DN serves as the key in the authentication cache (org.apache.activemq.artemis.core.security.impl. SecurityStoreImpl), the will message fails to be checked against access permissions.
As a workaround, I used the RemotingConnection.clientID as authentication cache key instead of the DN. That works as long as the parameter security-invalidation-interval is properly defined, that means security-invalidation-interval >> sessionExpiryInterval.