Re: [paho-dev] Interesting problem with HiveMQ TLS, mosquitto_foo and CA

[Alex J Lennon <ajlennon@xxxxxxxxxxxxxxxxxxxx>]

Hi Roger,

Thanks for that. Yes it's not a particularly important thing but I 
suspect the HiveMQ peeps are using v2, hence their instructions don't 
work for us v1.6 users.

And I'm on Ubuntu 20.04 LTS updated so I don't think I am entirely out 
of the ark! :)

(I have to ask - so how do I to non TLS connections over 8883? ;)

Cheers!

Alex

On 24/08/2021 23:15, Roger Light wrote:
> Hi Alex,
>
> Since 2.0 the clients behave slightly differently. If the port is
> 8883, then they will enable TLS mode and load the OS provided CA
> certificates unless --capath or --cafile are used. Before this you
> always had to specify --cafile or --capath.
>
> I've updated the man pages (in the repository only at the moment) to
> explain this.
>
> Cheers,
>
> Roger
>
>
> On Tue, 24 Aug 2021 at 14:21, Alex J Lennon
> <ajlennon@xxxxxxxxxxxxxxxxxxxx> wrote:
> > Hi all,
> >
> > I ran into an interesting thing with an eval of HiveMQ I was doing the
> > other day.
> >
> > I set up a cluster and used their Quickstart to try to publish to it
> > over TLS.
> >
> > Their example command is of the form:
> >
> > $ mosquitto_pub -h 8239be7c67554fbbb73b6dadb219f726.s1.eu.hivemq.cloud
> > -p 8883 -u iotdevice -P blah -t 'my/test/topic' -m 'Hello'
> >
> > Now when I do that I get errors connecting
> >
> > We had a bit of a chat and cutting a long story short I need to add the
> > --capath
> >
> > $ mosquitto_pub -h 8239be7c67554fbbb73b6dadb219f726.s1.eu.hivemq.cloud
> > -p 8883 -u iotdevice -P blah -t 'my/test/topic' -m 'Hello' --capath
> > /etc/ssl/certs/
> >
> > I'm on a reasonably standard Ubuntu 20.04 LTS here and I had a colleague
> > test on his Linux Mint install. Both are mosquitto_sub 1.6.9
> >
> > Seimon also tested with a docker command which _did_ work without --capath
> >
> > sw@alpha:~$ docker run -it --rm --network host eclipse-mosquitto /bin/sh
> > / # mosquitto_pub -h 8239be7c67554fbbb73b6dadb219f726.s1.eu.hivemq.cloud
> > -p 8883 -u seimon -P "Letmein1234" -t 'my/test/topic' -m 'Hello'
> >
> > I did a quick strace and without --capath there doesn't seem to be any
> > cert. store accessed so it doesn't seem like it's defaulting somewhere else.
> >
> > I looked at the man page and it says capath is required:
> >
> > "To enable TLS connections when using x509 certificates, one of either
> > --cafile or --capath must be provided as an option."
> >
> > I am just interested to know if something has changed somewhere in terms
> > of the client implementation defaults as it's quite odd HiveMQ haven't
> > seen this before and some implementations done seem to need it?
> >
> > Cheers!
> >
> > Alex
> >
> >
> > _______________________________________________
> > paho-dev mailing list
> > paho-dev@xxxxxxxxxxx
> > To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/paho-dev
> _______________________________________________
> paho-dev mailing list
> paho-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/paho-dev