Re: [paho-dev] Interesting problem with HiveMQ TLS, mosquitto

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [paho-dev] Interesting problem with HiveMQ TLS, mosquitto_foo and CA cert stores.

From: Roger Light <roger@xxxxxxxxxx>
Date: Tue, 24 Aug 2021 23:15:43 +0100
Delivered-to: paho-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/paho-dev/>
List-help: <mailto:paho-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/paho-dev>, <mailto:paho-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/paho-dev>, <mailto:paho-dev-request@eclipse.org?subject=unsubscribe>

Hi Alex,

Since 2.0 the clients behave slightly differently. If the port is
8883, then they will enable TLS mode and load the OS provided CA
certificates unless --capath or --cafile are used. Before this you
always had to specify --cafile or --capath.

I've updated the man pages (in the repository only at the moment) to
explain this.

Cheers,

Roger


On Tue, 24 Aug 2021 at 14:21, Alex J Lennon
<ajlennon@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> Hi all,
>
> I ran into an interesting thing with an eval of HiveMQ I was doing the
> other day.
>
> I set up a cluster and used their Quickstart to try to publish to it
> over TLS.
>
> Their example command is of the form:
>
> $ mosquitto_pub -h 8239be7c67554fbbb73b6dadb219f726.s1.eu.hivemq.cloud
> -p 8883 -u iotdevice -P blah -t 'my/test/topic' -m 'Hello'
>
> Now when I do that I get errors connecting
>
> We had a bit of a chat and cutting a long story short I need to add the
> --capath
>
> $ mosquitto_pub -h 8239be7c67554fbbb73b6dadb219f726.s1.eu.hivemq.cloud
> -p 8883 -u iotdevice -P blah -t 'my/test/topic' -m 'Hello' --capath
> /etc/ssl/certs/
>
> I'm on a reasonably standard Ubuntu 20.04 LTS here and I had a colleague
> test on his Linux Mint install. Both are mosquitto_sub 1.6.9
>
> Seimon also tested with a docker command which _did_ work without --capath
>
> sw@alpha:~$ docker run -it --rm --network host eclipse-mosquitto /bin/sh
> / # mosquitto_pub -h 8239be7c67554fbbb73b6dadb219f726.s1.eu.hivemq.cloud
> -p 8883 -u seimon -P "Letmein1234" -t 'my/test/topic' -m 'Hello'
>
> I did a quick strace and without --capath there doesn't seem to be any
> cert. store accessed so it doesn't seem like it's defaulting somewhere else.
>
> I looked at the man page and it says capath is required:
>
> "To enable TLS connections when using x509 certificates, one of either
> --cafile or --capath must be provided as an option."
>
> I am just interested to know if something has changed somewhere in terms
> of the client implementation defaults as it's quite odd HiveMQ haven't
> seen this before and some implementations done seem to need it?
>
> Cheers!
>
> Alex
>
>
> _______________________________________________
> paho-dev mailing list
> paho-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/paho-dev

Follow-Ups:
- Re: [paho-dev] Interesting problem with HiveMQ TLS, mosquitto_foo and CA cert stores.
  - From: Alex J Lennon

References:
- [paho-dev] Python client release
  - From: Roger Light
- [paho-dev] Interesting problem with HiveMQ TLS, mosquitto_foo and CA cert stores.
  - From: Alex J Lennon

Prev by Date: [paho-dev] Interesting problem with HiveMQ TLS, mosquitto_foo and CA cert stores.
Next by Date: Re: [paho-dev] Interesting problem with HiveMQ TLS, mosquitto_foo and CA cert stores.
Previous by thread: [paho-dev] Interesting problem with HiveMQ TLS, mosquitto_foo and CA cert stores.
Next by thread: Re: [paho-dev] Interesting problem with HiveMQ TLS, mosquitto_foo and CA cert stores.
Index(es):
- Date
- Thread

Breadcrumbs