MyQttd mod-ssl configuration

Introduction to mod-ssl

SSL/TLS configuration for MyQttD is handled through this module. In essence, this module allows to configure the list of certificates associated to the serverName (if available) so MyQttD can select the right certificate according to the connecting client.

Enabling mod-ssl

The module expects to find a configuration file located, usually located at /etc/myqtt/ssl/ssl.conf. If you do not have it, you can use the example provided by running:

>> mv /etc/myqtt/ssl/ssl.example.conf /etc/myqtt/ssl/ssl.conf

Before using it, you have to enable the module by running something like:

>> ln -s /etc/myqtt/mods-available/mod-ssl.xml /etc/myqtt/mods-enabled/mod-ssl.xml
>> service myqtt restart

Configuring mod-ssl

Let's assume we have the default configuration provided by ssl.example.conf:

<mod-ssl debug="no" >
   <!--  -*- nxml -*-  -->
   <!--  set debug='yes' to have more information about the module
       dropped into the log  -->
   <certificates>
      <!--  <cert serverName="localhost" 
	       crt="localhost.crt" 
	       key="localhost.key" 
	       [ chain="localhost.chain.crt" ]
	       [ ca="localhost.root.ca.crt" ]
	       [ verify-peer="yes" ] 
	       [ default="yes" ]
	       />  -->
      <cert key="localhost.key" 
            crt="localhost.crt" 
            serverName="localhost" />
   </certificates>
</mod-ssl>

This file (ssl.conf) includes a list of certificates associated to the serverName (the common name requested through SNI, or Host: header requested through the WebSocket bridge).

The first certificate declared as default="yes" will be used in the case no serverName matches. If no certificate is declared as such, the first certificate on the list will be used as default certificate.

Enabling mod-ssl debug

You can enable debug flag so mod-ssl module will drop more logs into the console and logs. For that just set debug='yes' inside top <mod-ssl> node, at the ssl.conf, usually located at /etc/myqtt/ssl/ssl.conf