mosquitto

What is the use of specifying cafile when launching mosquitto_pub / mosquitto_sub?

Asked by Gary Koh

I have created a ca cert, server cert and server key by following the instructions at http://mosquitto.org/man/mosquitto-tls-7.html.

I have a broker instance up and running using ca.crt, server.crt and server.key. In mosquitto.conf, require_certificate is set to true.

As expected, I am able to connect successfully to pub / sub messages to/from this broker using mosquitto_pub and mosquitto_sub by supplying --cafile ca.crt --cert client.crt --key client.key

On a whim, I created a totally different ca cert with a key secured by a totally different password, and I found that supplying this cert to the test clients did not generate any errors, so long as the client uses a valid client cert and key.

i.e. mosquitto_sub [...] --cafile fakeca.crt --cert client.crt --key client.key works.

Why is this so? What use then is specifying the ca cert as a command line arg to the client? is it used to verify anything?

Question information

Language:
English Edit question
Status:
Solved
For:
mosquitto Edit question
Assignee:
No assignee Edit question
Solved by:
Roger Light
Solved:
Last query:
Last reply:
Revision history for this message
Best Roger Light (roger.light) said : 		#1

That's a great question. The ca cert is used to verify the certificate that the server passes to the client. Clients using libmosquitto (i.e. mosquitto_pub and _sub) should have SSL_VERIFY_PEER set by default to enforce this. Unfortunately they were being initialised to 0 (SSL_VERIFY_NONE), so this check wasn't happening. The upshot is that in your case the server is happy with the client, but the client can't be sure that the server is correct.

I've pushed a change that fixes this and adds a test to make sure it doesn't come back: https://bitbucket.org/oojah/mosquitto/commits/d5544f96cbd6ae1c932ebe0ff8436e9aac43b34b

I'll be releasing an updated version shortly. Thanks very much for reporting this!

Revision history for this message
Gary Koh (garykoh) said : 		#2

Awesome. Thanks for the quick response, Roger!

Before, I had a co-worker look at it in case I was missing something; and without knowing it was a bona fide bug we thought we were going insane... :)

Revision history for this message
Gary Koh (garykoh) said : 		#3

Thanks Roger Light, that solved my question.