diff --git a/ChangeLog.txt b/ChangeLog.txt
index 52e303c3..7e362943 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -47,6 +47,8 @@ Broker:
functions, which can be used by plugins to disconnect clients.
- Add support for handling $CONTROL/ topics in plugins.
- Add support for PBKDF2-SHA512 password hashing.
+- Enabling certificate based TLS encryption is now through certfile and
+ keyfile, not capath or cafile.
Client library:
- Client no longer generates random client ids for v3.1.1 clients, these are
diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
index 30c66951..8a026839 100644
--- a/man/mosquitto.conf.5.xml
+++ b/man/mosquitto.conf.5.xml
@@ -46,7 +46,7 @@
The simplest option is to have no authentication at all. This is
the default if no other options are given. Unauthenticated
encrypted support is provided by using the certificate based
- SSL/TLS based options cafile/capath, certfile and keyfile.
+ SSL/TLS based options certfile and keyfile.
MQTT provides username/password authentication as part of the
protocol. Use the password_file option to define the valid
usernames and passwords. Be sure to use network encryption if you
@@ -674,7 +674,7 @@ log_timestamp_format %Y-%m-%dT%H:%M:%S
limit
-
+
This option sets the maximum number of heap memory bytes that the broker
will allocate, and hence sets a hard limit on memory use by the broker.
Memory requests that exceed this value will be denied. The effect will
@@ -1228,7 +1228,7 @@ log_timestamp_format %Y-%m-%dT%H:%M:%S
size
- Change the websockets headers size. This is a
+ Change the websockets headers size. This is a
global option, it is not possible to set per
listener. This option sets the size of the buffer
used in the libwebsockets library when reading HTTP
@@ -1249,33 +1249,35 @@ log_timestamp_format %Y-%m-%dT%H:%M:%S
file path
- At least one of or
- must be provided to enable
- SSL support. is used to define the
path to a file containing the PEM encoded CA
- certificates that are trusted.
+ certificates that are trusted when checking incoming
+ client certificates.
+ directory path
- At least one of or
- must be provided to enable
- SSL support. is used to define a
directory that contains PEM encoded CA certificates
- that are trusted. For to
+ that are trusted when checking incoming client
+ certificates. For to
work correctly, the certificates files must have
".pem" as the file ending and you must run
- "openssl rehash <path to capath>" each time you
- add/remove a certificate.
+ "openssl rehash <path to capath>" each time
+ you add/remove a certificate.
+ file path
- Path to the PEM encoded server certificate.
+
+ Path to the PEM encoded server certificate. This
+ option and must be present
+ to enable certificate based TLS encryption.
+
@@ -1312,7 +1314,11 @@ openssl dhparam -out dhparam.pem 2048
file path
- Path to the PEM encoded keyfile.
+
+ Path to the PEM encoded server key. This
+ option and must be present
+ to enable certificate based TLS encryption.
+
diff --git a/mosquitto.conf b/mosquitto.conf
index 52030351..03e140e3 100644
--- a/mosquitto.conf
+++ b/mosquitto.conf
@@ -460,17 +460,8 @@
# support" section. Only one of certificate or PSK encryption support can be
# enabled for any listener.
-# At least one of cafile or capath must be defined to enable certificate based
-# TLS encryption. They both define methods of accessing the PEM encoded
-# Certificate Authority certificates that have signed your server certificate
-# and that you wish to trust.
-# cafile defines the path to a file containing the CA certificates.
-# capath defines a directory that will be searched for files
-# containing the CA certificates. For capath to work correctly, the
-# certificate files must have ".crt" as the file ending and you must run
-# "openssl rehash " each time you add/remove a certificate.
-#cafile
-#capath
+# Both of certfile and keyfile must be defined to enable certificate based
+# TLS encryption.
# Path to the PEM encoded server certificate.
#certfile
@@ -478,7 +469,6 @@
# Path to the PEM encoded keyfile.
#keyfile
-
# If you wish to control which encryption ciphers are used, use the ciphers
# option. The list of available ciphers can be optained using the "openssl
# ciphers" command and should be provided in the same format as the output of
@@ -505,6 +495,18 @@
# outside of the mechanisms provided by MQTT.
#require_certificate false
+# cafile and capath define methods of accessing the PEM encoded
+# Certificate Authority certificates that will be considered trusted when
+# checking incoming client certificates.
+# cafile defines the path to a file containing the CA certificates.
+# capath defines a directory that will be searched for files
+# containing the CA certificates. For capath to work correctly, the
+# certificate files must have ".crt" as the file ending and you must run
+# "openssl rehash " each time you add/remove a certificate.
+#cafile
+#capath
+
+
# If require_certificate is true, you may set use_identity_as_username to true
# to use the CN value from the client certificate as a username. If this is
# true, the password_file option will not be used for this listener.
diff --git a/src/net.c b/src/net.c
index d7f6082a..9f63d4d3 100644
--- a/src/net.c
+++ b/src/net.c
@@ -454,17 +454,19 @@ int net__tls_load_verify(struct mosquitto__listener *listener)
ENGINE *engine = NULL;
int rc;
- rc = SSL_CTX_load_verify_locations(listener->ssl_ctx, listener->cafile, listener->capath);
- if(rc == 0){
- if(listener->cafile && listener->capath){
- log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\" and capath \"%s\".", listener->cafile, listener->capath);
- }else if(listener->cafile){
- log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\".", listener->cafile);
- }else{
- log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check capath \"%s\".", listener->capath);
+ if(listener->cafile || listener->capath){
+ rc = SSL_CTX_load_verify_locations(listener->ssl_ctx, listener->cafile, listener->capath);
+ if(rc == 0){
+ if(listener->cafile && listener->capath){
+ log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\" and capath \"%s\".", listener->cafile, listener->capath);
+ }else if(listener->cafile){
+ log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\".", listener->cafile);
+ }else{
+ log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check capath \"%s\".", listener->capath);
+ }
+ net__print_ssl_error(NULL);
+ return 1;
}
- net__print_ssl_error(NULL);
- return 1;
}
if(listener->tls_engine){
#if !defined(OPENSSL_NO_ENGINE)
@@ -761,7 +763,7 @@ int net__socket_listen(struct mosquitto__listener *listener)
/* We need to have at least one working socket. */
if(listener->sock_count > 0){
#ifdef WITH_TLS
- if((listener->cafile || listener->capath) && listener->certfile && listener->keyfile){
+ if(listener->certfile && listener->keyfile){
if(net__tls_server_ctx(listener)){
return 1;
}
diff --git a/src/security_default.c b/src/security_default.c
index 3ee8287a..8c2223bd 100644
--- a/src/security_default.c
+++ b/src/security_default.c
@@ -1051,7 +1051,7 @@ int mosquitto_security_apply_default(struct mosquitto_db *db)
#ifdef WITH_TLS
for(i=0; iconfig->listener_count; i++){
listener = &db->config->listeners[i];
- if(listener && listener->ssl_ctx && (listener->cafile || listener->capath) && listener->crlfile && listener->require_certificate){
+ if(listener && listener->ssl_ctx && listener->certfile && listener->keyfile && listener->crlfile && listener->require_certificate){
if(net__tls_server_ctx(listener)){
return 1;
}
diff --git a/test/unit/Makefile b/test/unit/Makefile
index 9e337375..9c1eecfb 100644
--- a/test/unit/Makefile
+++ b/test/unit/Makefile
@@ -24,6 +24,7 @@ TEST_OBJS = test.o \
utf8.o
LIB_OBJS = memory_mosq.o \
+ memory_public.o \
misc_mosq.o \
packet_datatypes.o \
property_mosq.o \
@@ -38,6 +39,7 @@ BRIDGE_TOPIC_TEST_OBJS = \
BRIDGE_TOPIC_OBJS = \
bridge_topic.o \
memory_mosq.o \
+ memory_public.o \
util_topic.o \
PERSIST_READ_TEST_OBJS = \
@@ -46,6 +48,7 @@ PERSIST_READ_TEST_OBJS = \
PERSIST_READ_OBJS = \
memory_mosq.o \
+ memory_public.o \
misc_mosq.o \
packet_datatypes.o \
persist_read.o \
@@ -64,6 +67,7 @@ PERSIST_WRITE_TEST_OBJS = \
PERSIST_WRITE_OBJS = \
database.o \
memory_mosq.o \
+ memory_public.o \
misc_mosq.o \
packet_datatypes.o \
persist_read.o \
@@ -85,6 +89,7 @@ SUBS_TEST_OBJS = \
SUBS_OBJS = \
database.o \
memory_mosq.o \
+ memory_public.o \
subs.o \
topic_tok.o
@@ -117,6 +122,9 @@ database.o : ../../src/database.c
memory_mosq.o : ../../lib/memory_mosq.c
$(CROSS_COMPILE)$(CC) $(CPPFLAGS) $(CFLAGS) -c -o $@ $^
+memory_public.o : ../../src/memory_public.c
+ $(CROSS_COMPILE)$(CC) $(CPPFLAGS) $(CFLAGS) -c -o $@ $^
+
misc_mosq.o : ../../lib/misc_mosq.c
$(CROSS_COMPILE)$(CC) $(CPPFLAGS) $(CFLAGS) -c -o $@ $^