Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [paho-dev] Interesting problem with HiveMQ TLS, mosquitto_foo and CA cert stores.

Hi Roger,

Thanks for that. Yes it's not a particularly important thing but I suspect the HiveMQ peeps are using v2, hence their instructions don't work for us v1.6 users.

And I'm on Ubuntu 20.04 LTS updated so I don't think I am entirely out of the ark! :)

(I have to ask - so how do I to non TLS connections over 8883? ;)



On 24/08/2021 23:15, Roger Light wrote:
Hi Alex,

Since 2.0 the clients behave slightly differently. If the port is
8883, then they will enable TLS mode and load the OS provided CA
certificates unless --capath or --cafile are used. Before this you
always had to specify --cafile or --capath.

I've updated the man pages (in the repository only at the moment) to
explain this.



On Tue, 24 Aug 2021 at 14:21, Alex J Lennon
<ajlennon@xxxxxxxxxxxxxxxxxxxx> wrote:
Hi all,

I ran into an interesting thing with an eval of HiveMQ I was doing the
other day.

I set up a cluster and used their Quickstart to try to publish to it
over TLS.

Their example command is of the form:

$ mosquitto_pub -h
-p 8883 -u iotdevice -P blah -t 'my/test/topic' -m 'Hello'

Now when I do that I get errors connecting

We had a bit of a chat and cutting a long story short I need to add the

$ mosquitto_pub -h
-p 8883 -u iotdevice -P blah -t 'my/test/topic' -m 'Hello' --capath

I'm on a reasonably standard Ubuntu 20.04 LTS here and I had a colleague
test on his Linux Mint install. Both are mosquitto_sub 1.6.9

Seimon also tested with a docker command which _did_ work without --capath

sw@alpha:~$ docker run -it --rm --network host eclipse-mosquitto /bin/sh
/ # mosquitto_pub -h
-p 8883 -u seimon -P "Letmein1234" -t 'my/test/topic' -m 'Hello'

I did a quick strace and without --capath there doesn't seem to be any
cert. store accessed so it doesn't seem like it's defaulting somewhere else.

I looked at the man page and it says capath is required:

"To enable TLS connections when using x509 certificates, one of either
--cafile or --capath must be provided as an option."

I am just interested to know if something has changed somewhere in terms
of the client implementation defaults as it's quite odd HiveMQ haven't
seen this before and some implementations done seem to need it?



paho-dev mailing list
To unsubscribe from this list, visit
paho-dev mailing list
To unsubscribe from this list, visit

Back to the top