Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] "bridge_insecure" doesn't seem to work?

Hi Stefan,

Thanks for this. The intention is that the default behaviour is the
most secure - and so you can use tls_insecure to have less strict
checks if you wish. This means that tls_cert_reqs should be set to
SSL_VERIFY_PEER for bridges as well.

I've just pushed a change that implements this:

Thanks again,


On Tue, Apr 22, 2014 at 12:11 AM, Stefan Borsje <stefan@xxxxxxxxxxxxx> wrote:
> Hi,
> I'm trying to set up a Mosquitto Bridge which connects to a central broker. The central broker exposes MQTT over TLS and has a (self-signed) certificate. When connecting to the central broker, I'd like Mosquitto to check the hostname/CN in the certificate. According to the Mosquitto documentation this should be possible by using the bridge_insecure option, but this does seem to work. The Mosquitto bridge neither verifies the certificate chain nor the hostname/CN.
> Digging through the Mosquitto source code (disclaimer: I'm not a C programmer), I noticed that when setting up a new context for the bridge (in src/bridge.c at around line ~130) tls_cert_reqs isn't set. When explicitly adding this and forcing it to verify the peer (new_context->tls_cert_reqs = SSL_VERIFY_PEER;) the certificate verification suddenly works.
> Did I miss something from the documentation, or is the default behavior for the bridge not to verify the peer certificate?
> Thanks!
> Stefan
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx

Back to the top