hello @Daria_H
I have created custom extension where i have used mongodb database for authentication and acl control like topic permission and all that, now i want to add SSL/TLS in my extension so what are the steps or procedure which i can use to implement it. please provide details how i can implement SSL/TLS in my custom extension. i want one certificate which will be at broker’s end and same certificate will be used by all my clients. do i need to make any changes in broker’s configuration files? also consider broker’s config.xml file updates to implement and work with TLS/SSL. please check on this asap…
TIA
Hi @Sanket,
Enabling TLS is a simple process. You will need to generate a Keystore file and add a TLS listener to your broker’s config.xml file and restart the broker. Here’s an example configuration:
<?xml version="1.0" encoding="UTF-8" ?>
<hivemq xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="config.xsd">
<listeners>
<tcp-listener>
<port>1883</port>
<bind-address>0.0.0.0</bind-address>
</tcp-listener>
<tls-tcp-listener>
<port>8883</port>
<bind-address>0.0.0.0</bind-address>
<tls>
<keystore>
<path>hivemq.jks</path>
<password>changeme</password>
<private-key-password>changeme</private-key-password>
</keystore>
</tls>
</tls-tcp-listener>
</listeners>
</hivemq>
For more detailed instructions, you can refer to the following resources:
If you have any questions or need further assistance, feel free to reach out.
Best regards,
Dasha from HiveMQ Team
hello @Daria_H thank you for above solution.
As i already mentioned that my custom extension is having authentication check and when i provide all credentials and certificate then certificate is validated and authentication is done and all logs related to that are printed. but when i provide wrong certificate then it does not reach authentication it just try to validate certificate and it fails validation as certificate is not appropriate so it does not reach broker so no log related to that occurs. so is there any way which can log or inform user about inappropriate certificate.
TIA,
please look into this asap 
Hi @sanket
To better understand the issue, could you please clarify the type of validation failure you are encountering? Specifically, is the issue related to the certificate’s expiry date or a mismatch with the hostname?
For addressing certificate expiry validation, you might find this example helpful: TLS Demo Example. This code snippet demonstrates how to pre-validate the expiry time of a certificate, showing the expiration date if valid, and reporting any errors that occur if the certificate has expired.
Best regards,
Dasha
@Daria_H
Its like when we provide correct credentials then authentication is successful and shows log because i have logged them, likewise if we provide wrong credentials then authentication fails but it still logs whichever condition matched. so when i use correct self signed certificate which i generated and used in keystore so the certificate is valid so it goes for authentication check for that client but if certificate is invalid for any reason or he is mistakenly using wrong certificate then that client will not reach authentication check hence there are no logs or any thing where user can get to know that its wrong certificate or invalid certificate so authentication can not be proceed. so i wanted to know that is there any way we can work out with? and link you provided shows page not found 404.
TIA
@sanket I have fixed the link you mentioned—feel free to try it again.
Regarding the description of your problem, I understand that the issue involves logging and authentication with certificates. The details you’ve shared are quite vague, feel free to share your project repo to provide additional context. This way, we can get a clearer understanding of the issue
Best regards,
Dasha from the HiveMQ Team
hello, @Daria_H @Diego
when i connect client to the broker its keepalive time is by default 60seconds because ping request is intercepted at every 60seconds. likewise when i connect multiple clients and suppose some clients are inactive for long time and every 60seconds they will send pin request and i think there is no need of sending response to client again when broker intercepts ping request it assumes client is still connected. am i right? but sometimes some clients gets disconnected stating client was idle for too long. what should i do to where i want like if user disconnects the client then only it should disconnect or situations like connection loss can cause disconnections but server should not disconnect client for inactivity because some clients may have time interval of 15 minutes between publishing message. some might publish message every 30seconds likewise every client may have different publishing interval so how can we implement this? please provide details regarding above problem…
TIA
please look into this ASAP
hello @Diego , @Daria_H
just look into my above query as well i have another query that in conf.xml for tls-tcp using port 8883 there is mentioned about .jks file so is it compulsory to use .jks file or is there any alternative to .jks file and if there is alternative then please provide me with details.
TIA
Hello @sanket
You can configure either .p12 or .jks files as keystore.
Regards,
Sheetal from HiveMQ team