LavinMQ LavinMQ logo Latest stable version: v2.7.0
LavinMQ logo
Home Documentation Blog Community
Get started
GitHub Repository
<- Back to blog archive
Engineering

Why you should use mTLS to secure your connections

Why you should use mTLS to secure your connections

Standard TLS encrypts traffic and lets clients verify the server, but it leaves a critical question unanswered: who is the client? Mutual TLS (mTLS) answers that question. Both sides of the connection present a certificate, both sides verify the other. No certificate, no connection.

This post explains why mTLS is valuable by looking at some things that mTLS helps you with. mTLS support is available in LavinMQ from version 2.7.0.

The problem with passwords alone

LavinMQ already supports username/password authentication and it is the most used way of authentication, but using only that has some risks, including:

  • Credential leakage. Passwords end up in config files, environment variables, CI logs, and container images. A leaked password grants full broker access until someone rotates it.
  • No proof of identity. A valid password proves someone knows the password, not who they are. Any process with the right string can connect.
  • Shared secrets scale poorly. As the number of services grows, managing unique passwords per client becomes an operational burden. Teams fall back to shared credentials, making revocation nearly impossible without disrupting everything.
  • Replay and brute-force attacks. Without rate limiting (which most brokers don’t enforce at the protocol level), stolen or guessed passwords can be used repeatedly.

What mTLS gives you

mTLS shifts authentication from “something you know” to “something you have” — a private key that never leaves the client. Here is what that buys you:

Strong identity on both sides

The server verifies the client’s certificate against a trusted Certificate Authority (CA), and the client verifies the server’s. An attacker who compromises a password still cannot connect without a valid certificate signed by your CA.

Zero-trust alignment

In a zero-trust architecture, every connection must be authenticated regardless of network location. mTLS enforces this at the lowest practical layer. It pairs naturally with service meshes and certificate issuers like Vault, cert-manager, or CFSSL.

Compliance

Regulations like PCI-DSS, HIPAA, and SOC 2 require strong authentication for systems handling sensitive data. mTLS satisfies these requirements with cryptographic proof rather than shared secrets.

Upgrade to LavinMQ 2.7 and enable mTLS and check out the release notes for what else is new in 2.7.

Author

Magnus Landerblom

More good reads
Reliable message delivery: How LavinMQ keeps your data safe Engineering
Minor change, major results: LavinMQ streams hit 30% speed gain Engineering
Developer insights: Switching to jump hash algorithm for LavinMQ consistent hash exchange Engineering