|Re: [mosquitto-dev] mosquitto with tls
Manuel Domínguez Dorado <manolodd@xxxxxxxxx> writes: > *"If you are using a cert issued by your own Certificate Authority, then > you need to provide the CA certificate, so that mosquitto can verify that > the server certificate is genuine"* > > Um... but this is true only if the hostname in the server certificate can > be correctly resolved through the public DNS, isn't it? The relevant standards (IETF PKIX) are very complicated, but the essence is: program asks to connect to a name system might canonialize the name system translates that to an address and connects remote provides a certificate validation requires that the certifiate be reachable from a configured trust anchor (which more or less translates to "server cert's parent certificate (CA) is in the list of configured CAs" name in cert must match name used to connect So no, you shouldn't need dns. You just have to make the names match.
Back to the top