Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[mosquitto-dev] "bridge_insecure" doesn't seem to work?


I'm trying to set up a Mosquitto Bridge which connects to a central broker. The central broker exposes MQTT over TLS and has a (self-signed) certificate. When connecting to the central broker, I'd like Mosquitto to check the hostname/CN in the certificate. According to the Mosquitto documentation this should be possible by using the bridge_insecure option, but this does seem to work. The Mosquitto bridge neither verifies the certificate chain nor the hostname/CN.

Digging through the Mosquitto source code (disclaimer: I'm not a C programmer), I noticed that when setting up a new context for the bridge (in src/bridge.c at around line ~130) tls_cert_reqs isn't set. When explicitly adding this and forcing it to verify the peer (new_context->tls_cert_reqs = SSL_VERIFY_PEER;) the certificate verification suddenly works.

Did I miss something from the documentation, or is the default behavior for the bridge not to verify the peer certificate?


Back to the top