Support for cacertfile/cacerts options about emqtt-bench HOT 10 CLOSED

@seguidor777 updated docker image here:
#176
for the enoent, please make sure the files are mounted to docker and use abs path for the options (--certfile etc.).

from emqtt-bench.

Hi @seguidor777
We discussed it before, the conclusion is: bench is a load generator, adding more load (cert validation) to the load-generator doesn’t really benefit anyone.

from emqtt-bench.

I see, the issue is that currently I'm trying to load test my mqtt broker using self-signed certificates, but that means that I'd need to skip the peer verification or to use a trusted CA instead.
Thanks for the clarification, I think we can close this issue

from emqtt-bench.

You can still configure key and cert for the client to send to the broker. The broker will validate its cert against its own trusted ca bundle.

cacertfile for the client is only to validate server’s cert.

I.e. self-signed or not makes no difference in this regard.

from emqtt-bench.

cacertfile for the client is only to validate server’s cert.

Yeah I agree on that, but in my case I have a self-signed cert and the emqx server is running with the verify_peer setting enabled. I think that I have two options if I want to continue using the self-signed cert:

1. Change the emqx ssl setting to verify_none
2. Pass the cacert to emqtt-bench in order to do the x509 path validation

from emqtt-bench.

cacertfile for the client is only to validate server’s cert.

Yeah I agree on that, but in my case I have a self-signed cert and the emqx server is running with the verify_peer setting enabled. I think that I have two options if I want to continue using the self-signed cert:

1. Change the emqx ssl setting to verify_none
2. Pass the cacert to emqtt-bench in order to do the x509 path validation

Sorry for the late reply, my inbox exploded.
For emqx to verify client certificates, you only need to supply client side (emqtt_bench) certfile option, but no need for a cacertfile

in certfile, put client certificate at the top of the file, and follwed by the immediate issuer certificate, then the issuer’s issuer certificate, and so on, all the way to the root ca certificate (root is actually optional)

from emqtt-bench.

Hi @zmstone.
No worries, thanks for getting back.
I've tested passing the client certificate with the issuer after, but the mqtt client is still asking for cacertsfile/cacert, how can I workaround this?

$docker run -it emqtt_bench conn -c 1 -i 10 -h 192.168.1.68 -p 8883 --ssl --certfile cert-chain.crt --keyfile client.key
Start with 8 workers, addrs pool size: 1 and req interval: 80 ms 

=WARNING REPORT==== 31-May-2022::22:43:53.043774 ===
Description: "Authenticity is not established by certificate path validation"
     Reason: "Option {verify, verify_peer} and cacertfile/cacerts is missing"

client(1): connect error - {options,
                               {keyfile,
                                   "client.key",
                                   {error,enoent}}}
client(1): EXIT for {shutdown,
                        {options,
                            {keyfile,
                                "client.key",
                                {error,enoent}}}}
1s connect_fail total=1 rate=1.00/sec

from emqtt-bench.

enoent indicates the file doesn’t exist.
The warning is a bug from Erlang/OTP. Which version do you use?

from emqtt-bench.

I'm using docker image version 0.4.4-33-g09752e5, not sure which Erlang version it's using

from emqtt-bench.

Rookie mistake, thanks @zmstone

from emqtt-bench.