[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [mosquitto-dev] "bridge_insecure" doesn't seem to work?
|
Hi Stefan,
Thanks for this. The intention is that the default behaviour is the
most secure - and so you can use tls_insecure to have less strict
checks if you wish. This means that tls_cert_reqs should be set to
SSL_VERIFY_PEER for bridges as well.
I've just pushed a change that implements this:
https://bitbucket.org/oojah/mosquitto/commits/4b71be188bac7927c8c7fea5648f15a5acf1cad8
Thanks again,
Roger
On Tue, Apr 22, 2014 at 12:11 AM, Stefan Borsje <stefan@xxxxxxxxxxxxx> wrote:
> Hi,
>
> I'm trying to set up a Mosquitto Bridge which connects to a central broker. The central broker exposes MQTT over TLS and has a (self-signed) certificate. When connecting to the central broker, I'd like Mosquitto to check the hostname/CN in the certificate. According to the Mosquitto documentation this should be possible by using the bridge_insecure option, but this does seem to work. The Mosquitto bridge neither verifies the certificate chain nor the hostname/CN.
>
> Digging through the Mosquitto source code (disclaimer: I'm not a C programmer), I noticed that when setting up a new context for the bridge (in src/bridge.c at around line ~130) tls_cert_reqs isn't set. When explicitly adding this and forcing it to verify the peer (new_context->tls_cert_reqs = SSL_VERIFY_PEER;) the certificate verification suddenly works.
>
> Did I miss something from the documentation, or is the default behavior for the bridge not to verify the peer certificate?
>
> Thanks!
> Stefan
>
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/mosquitto-dev
