The `--insecure` option now disables all server certificate verification.

4 years ago · 538154bd9c
parent a1288721ce
commit 538154bd9c
8 changed files with 38 additions and 37 deletions
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -108,6 +108,7 @@ Client library:

 Clients:
 - Add `-W` timeout support to Windows.
+- The `--insecure` option now disables all server certificate verification.


 2.0.13 - 2021-10-27
--- a/client/client_shared.c
+++ b/client/client_shared.c
@ -1352,7 +1352,7 @@ static int client_tls_opts_set(struct mosquitto *mosq, struct mosq_config *cfg)
 		err_printf(cfg, "Error: Problem setting TLS ALPN protocol.\n");
 		return 1;
 	}
-	if((cfg->tls_version || cfg->ciphers) && mosquitto_tls_opts_set(mosq, 1, cfg->tls_version, cfg->ciphers)){
+	if((cfg->tls_version || cfg->ciphers) && mosquitto_tls_opts_set(mosq, !cfg->insecure, cfg->tls_version, cfg->ciphers)){
 		err_printf(cfg, "Error: Problem setting TLS options, check the options are valid.\n");
 		return 1;
 	}
--- a/client/pub_client.c
+++ b/client/pub_client.c
@ -500,9 +500,9 @@ static void print_usage(void)
 	printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
 	printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n");
 	printf("                 Defaults to tlsv1.2 if available.\n");
-	printf(" --insecure : do not check that the server certificate hostname matches the remote\n");
-	printf("              hostname. Using this option means that you cannot be sure that the\n");
-	printf("              remote host is the server you wish to connect to and so is insecure.\n");
+	printf(" --insecure : do not verify the the server certificate. Using this option means that\n");
+	printf("              you cannot be sure that the remote host is the server you wish to connect\n");
+	printf("              to and so is insecure.\n");
 	printf("              Do not use this option in a production environment.\n");
 	printf(" --tls-engine : If set, enables the use of a TLS engine device.\n");
 	printf(" --tls-engine-kpass-sha1 : SHA1 of the key password to be used with the selected SSL engine.\n");
--- a/client/rr_client.c
+++ b/client/rr_client.c
@ -290,9 +290,9 @@ static void print_usage(void)
 	printf(" --tls-use-os-certs : Load and trust OS provided CA certificates.\n");
 	printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n");
 	printf("                 Defaults to tlsv1.2 if available.\n");
-	printf(" --insecure : do not check that the server certificate hostname matches the remote\n");
-	printf("              hostname. Using this option means that you cannot be sure that the\n");
-	printf("              remote host is the server you wish to connect to and so is insecure.\n");
+	printf(" --insecure : do not verify the the server certificate. Using this option means that\n");
+	printf("              you cannot be sure that the remote host is the server you wish to connect\n");
+	printf("              to and so is insecure.\n");
 	printf("              Do not use this option in a production environment.\n");
 #ifdef WITH_TLS_PSK
 	printf(" --psk : pre-shared-key in hexadecimal (no leading 0x) to enable TLS-PSK mode.\n");
--- a/client/sub_client.c
+++ b/client/sub_client.c
@ -325,9 +325,9 @@ static void print_usage(void)
 	printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
 	printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n");
 	printf("                 Defaults to tlsv1.2 if available.\n");
-	printf(" --insecure : do not check that the server certificate hostname matches the remote\n");
-	printf("              hostname. Using this option means that you cannot be sure that the\n");
-	printf("              remote host is the server you wish to connect to and so is insecure.\n");
+	printf(" --insecure : do not verify the the server certificate. Using this option means that\n");
+	printf("              you cannot be sure that the remote host is the server you wish to connect\n");
+	printf("              to and so is insecure.\n");
 	printf("              Do not use this option in a production environment.\n");
 	printf(" --tls-engine : If set, enables the use of a SSL engine device.\n");
 	printf(" --tls-engine-kpass-sha1 : SHA1 of the key password to be used with the selected SSL engine.\n");
--- a/man/mosquitto_pub.1.xml
+++ b/man/mosquitto_pub.1.xml
@ -324,15 +324,15 @@
 				<term><option>--insecure</option></term>
 				<listitem>
 					<para>When using certificate based encryption, this option
-						disables verification of the server hostname in the
-						server certificate. This can be useful when testing
-						initial server configurations but makes it possible for
-						a malicious third party to impersonate your server
-						through DNS spoofing, for example. Use this option in
-						testing <emphasis>only</emphasis>. If you need to
-						resort to using this option in a production
-						environment, your setup is at fault and there is no
-						point using encryption.</para>
+						disables verification of the server certificate. This
+						can be useful when testing initial server configurations
+						but means there are no guarantees whatsoever about
+						whether the server you are connecting to is the server
+						you expect. Use this option in testing
+						<emphasis>only</emphasis>. If you need to resort to using
+						this option in a production environment, your setup is at
+						fault and there is little point using encryption.
+					</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
--- a/man/mosquitto_rr.1.xml
+++ b/man/mosquitto_rr.1.xml
@ -353,15 +353,15 @@
 				<term><option>--insecure</option></term>
 				<listitem>
 					<para>When using certificate based encryption, this option
-						disables verification of the server hostname in the
-						server certificate. This can be useful when testing
-						initial server configurations but makes it possible for
-						a malicious third party to impersonate your server
-						through DNS spoofing, for example. Use this option in
-						testing <emphasis>only</emphasis>. If you need to
-						resort to using this option in a production
-						environment, your setup is at fault and there is no
-						point using encryption.</para>
+						disables verification of the server certificate. This
+						can be useful when testing initial server configurations
+						but means there are no guarantees whatsoever about
+						whether the server you are connecting to is the server
+						you expect. Use this option in testing
+						<emphasis>only</emphasis>. If you need to resort to using
+						this option in a production environment, your setup is at
+						fault and there is little point using encryption.
+					</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
--- a/man/mosquitto_sub.1.xml
+++ b/man/mosquitto_sub.1.xml
@ -372,15 +372,15 @@
 				<term><option>--insecure</option></term>
 				<listitem>
 					<para>When using certificate based encryption, this option
-						disables verification of the server hostname in the
-						server certificate. This can be useful when testing
-						initial server configurations but makes it possible for
-						a malicious third party to impersonate your server
-						through DNS spoofing, for example. Use this option in
-						testing <emphasis>only</emphasis>. If you need to
-						resort to using this option in a production
-						environment, your setup is at fault and there is no
-						point using encryption.</para>
+						disables verification of the server certificate. This
+						can be useful when testing initial server configurations
+						but means there are no guarantees whatsoever about
+						whether the server you are connecting to is the server
+						you expect. Use this option in testing
+						<emphasis>only</emphasis>. If you need to resort to using
+						this option in a production environment, your setup is at
+						fault and there is little point using encryption.
+					</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>