[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
[mosquitto-dev] "bridge_insecure" doesn't seem to work?
|
Hi,
I'm trying to set up a Mosquitto Bridge which connects to a central broker. The central broker exposes MQTT over TLS and has a (self-signed) certificate. When connecting to the central broker, I'd like Mosquitto to check the hostname/CN in the certificate. According to the Mosquitto documentation this should be possible by using the bridge_insecure option, but this does seem to work. The Mosquitto bridge neither verifies the certificate chain nor the hostname/CN.
Digging through the Mosquitto source code (disclaimer: I'm not a C programmer), I noticed that when setting up a new context for the bridge (in src/bridge.c at around line ~130) tls_cert_reqs isn't set. When explicitly adding this and forcing it to verify the peer (new_context->tls_cert_reqs = SSL_VERIFY_PEER;) the certificate verification suddenly works.
Did I miss something from the documentation, or is the default behavior for the bridge not to verify the peer certificate?
Thanks!
Stefan
