Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[paho-dev] Interesting problem with HiveMQ TLS, mosquitto_foo and CA cert stores.

Hi all,

I ran into an interesting thing with an eval of HiveMQ I was doing the other day.

I set up a cluster and used their Quickstart to try to publish to it over TLS.

Their example command is of the form:

$ mosquitto_pub -h -p 8883 -u iotdevice -P blah -t 'my/test/topic' -m 'Hello'

Now when I do that I get errors connecting

We had a bit of a chat and cutting a long story short I need to add the --capath

$ mosquitto_pub -h -p 8883 -u iotdevice -P blah -t 'my/test/topic' -m 'Hello' --capath /etc/ssl/certs/

I'm on a reasonably standard Ubuntu 20.04 LTS here and I had a colleague test on his Linux Mint install. Both are mosquitto_sub 1.6.9

Seimon also tested with a docker command which _did_ work without --capath

sw@alpha:~$ docker run -it --rm --network host eclipse-mosquitto /bin/sh
/ # mosquitto_pub -h -p 8883 -u seimon -P "Letmein1234" -t 'my/test/topic' -m 'Hello'

I did a quick strace and without --capath there doesn't seem to be any cert. store accessed so it doesn't seem like it's defaulting somewhere else.

I looked at the man page and it says capath is required:

"To enable TLS connections when using x509 certificates, one of either --cafile or --capath must be provided as an option."

I am just interested to know if something has changed somewhere in terms of the client implementation defaults as it's quite odd HiveMQ haven't seen this before and some implementations done seem to need it?



Back to the top