[paho-dev] Interesting problem with HiveMQ TLS, mosquitto_foo and CA cer

[Alex J Lennon <ajlennon@xxxxxxxxxxxxxxxxxxxx>]

Hi all,

I ran into an interesting thing with an eval of HiveMQ I was doing the 
other day.

I set up a cluster and used their Quickstart to try to publish to it 
over TLS.

Their example command is of the form:

$ mosquitto_pub -h 8239be7c67554fbbb73b6dadb219f726.s1.eu.hivemq.cloud 
-p 8883 -u iotdevice -P blah -t 'my/test/topic' -m 'Hello'

Now when I do that I get errors connecting

We had a bit of a chat and cutting a long story short I need to add the 
--capath

$ mosquitto_pub -h 8239be7c67554fbbb73b6dadb219f726.s1.eu.hivemq.cloud 
-p 8883 -u iotdevice -P blah -t 'my/test/topic' -m 'Hello' --capath 
/etc/ssl/certs/

I'm on a reasonably standard Ubuntu 20.04 LTS here and I had a colleague 
test on his Linux Mint install. Both are mosquitto_sub 1.6.9

Seimon also tested with a docker command which _did_ work without --capath

sw@alpha:~$ docker run -it --rm --network host eclipse-mosquitto /bin/sh
/ # mosquitto_pub -h 8239be7c67554fbbb73b6dadb219f726.s1.eu.hivemq.cloud 
-p 8883 -u seimon -P "Letmein1234" -t 'my/test/topic' -m 'Hello'

I did a quick strace and without --capath there doesn't seem to be any 
cert. store accessed so it doesn't seem like it's defaulting somewhere else.

I looked at the man page and it says capath is required:

"To enable TLS connections when using x509 certificates, one of either 
--cafile or --capath must be provided as an option."

I am just interested to know if something has changed somewhere in terms 
of the client implementation defaults as it's quite odd HiveMQ haven't 
seen this before and some implementations done seem to need it?

Cheers!

Alex