Add bridge_tls_use_os_certs option.

This allows bridges to be easily configured to trust default CA certificates. Closes #2473. Thanks to Dustin Utecht.
4 years ago · 6ccdda7261
parent bbfaa619a2
commit 6ccdda7261
6 changed files with 42 additions and 6 deletions
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -53,6 +53,8 @@ Broker:
 - Add bridge_receive_maximum option for MQTT v5.0 bridges.
 - Add bridge_session_expiry_interval option for MQTT v5.0 bridges.
 - Bridge reconnection backoff improvements.
+- Add bridge_tls_use_os_certs option to allow bridges to be easily configured
+  to trust default CA certificates. Closes #2473.

 Plugins / plugin interface:
 - Add persist-sqlite plugin.
--- a/man/mosquitto.conf.5.xml
+++ b/man/mosquitto.conf.5.xml
@ -2297,8 +2297,8 @@ topic clients/total in 0 test/mosquitto/org/ $SYS/broker/
 				<varlistentry>
 					<term><option>bridge_cafile</option> <replaceable>file path</replaceable></term>
 					<listitem>
-						<para>One of <option>bridge_cafile</option> or
-							<option>bridge_capath</option> must be provided to
+						<para>At least one of <option>bridge_cafile</option>, <option>bridge_capath</option>, or
+							<option>bridge_tls_use_os_certs</option> must be provided to
 							allow SSL/TLS support.</para>
 						<para>bridge_cafile is used to define the path to a file
 							containing the PEM encoded CA certificates that
@ -2309,8 +2309,8 @@ topic clients/total in 0 test/mosquitto/org/ $SYS/broker/
 				<varlistentry>
 					<term><option>bridge_capath</option> <replaceable>file path</replaceable></term>
 					<listitem>
-						<para>One of <option>bridge_capath</option> or
-							<option>bridge_cafile</option> must be provided to
+						<para>At least one of <option>bridge_cafile</option>, <option>bridge_capath</option>, or
+							<option>bridge_tls_use_os_certs</option> must be provided to
 							allow SSL/TLS support.</para>
 						<para>bridge_capath is used to define the path to a
 							directory containing the PEM encoded CA
@ -2388,6 +2388,19 @@ topic clients/total in 0 test/mosquitto/org/ $SYS/broker/
 							connection it opens as client.</para>
 					</listitem>
 				</varlistentry>
+				<varlistentry>
+					<term><option>bridge_tls_use_os_certs</option> [ true | false ]</term>
+					<listitem>
+						<para>At least one of <option>bridge_cafile</option>, <option>bridge_capath</option>, or
+							<option>bridge_tls_use_os_certs</option> must be provided to
+							allow SSL/TLS support.</para>
+						<para>Set <option>bridge_tls_use_os_certs</option>
+							to true to enable TLS for this bridge, and to
+							configure it to trust the default certificates
+							provided by openssl. This is typically a large
+							number of certificates. Defaults to false.</para>
+					</listitem>
+				</varlistentry>
 				<varlistentry>
 					<term><option>bridge_tls_version</option> <replaceable>version</replaceable></term>
 					<listitem>
--- a/mosquitto.conf
+++ b/mosquitto.conf
@ -975,8 +975,13 @@
 # -----------------------------------------------------------------
 # Certificate based SSL/TLS support
 # -----------------------------------------------------------------
-# Either bridge_cafile or bridge_capath must be defined to enable TLS support
-# for this bridge.
+# To enable TLS support, the bridge must be configured to trust some
+# certificate authority certificates. This can be done in three ways, by
+# defining at least one of bridge_cafile, bridge_capath, or
+# bridge_tls_use_os_certs.
+
+# Use bridge_cafile or bridge_capath to explicitly choose which certificates to
+# trust for this bridge.
 # bridge_cafile defines the path to a file containing the
 # Certificate Authority certificates that have signed the remote broker
 # certificate.
@ -987,6 +992,10 @@
 #bridge_cafile
 #bridge_capath

+# Set bridge_tls_use_os_certs to true (default is false) to configure this
+# bridge to use the default certificates as configured in openssl.
+#bridge_tls_use_os_certs false
+

 # If the remote broker has more than one protocol available on its port, e.g.
 # MQTT and WebSockets, then use bridge_alpn to configure which protocol is
--- a/src/bridge.c
+++ b/src/bridge.c
@ -112,6 +112,7 @@ static struct mosquitto *bridge__new(struct mosquitto__bridge *bridge)
 	new_context->tls_13_ciphers = bridge->tls_13_ciphers;
 	new_context->tls_engine = db.config->default_listener.tls_engine;
 	new_context->tls_keyform = db.config->default_listener.tls_keyform;
+	new_context->tls_use_os_certs = bridge->tls_use_os_certs;
 	new_context->ssl_ctx_defaults = true;
 #ifdef FINAL_WITH_TLS_PSK
 	new_context->tls_psk_identity = bridge->tls_psk_identity;
--- a/src/conf.c
+++ b/src/conf.c
@ -1368,6 +1368,16 @@ static int config__read_file_core(struct mosquitto__config *config, bool reload,
 					cur_bridge->tcp_user_timeout = tmp_int;
 #else
 					log__printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge and/or TCP user timeout support not available.");
+#endif
+				}else if(!strcmp(token, "bridge_tls_use_os_certs")){
+#if defined(WITH_BRIDGE) && defined(WITH_TLS)
+					if(!cur_bridge){
+						log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
+						return MOSQ_ERR_INVAL;
+					}
+					if(conf__parse_bool(&token, "bridge_tls_use_os_certs", &cur_bridge->tls_use_os_certs, &saveptr)) return MOSQ_ERR_INVAL;
+#else
+					log__printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge and/or TLS support not available.");
 #endif
 				}else if(!strcmp(token, "bridge_tls_version")){
 #if defined(WITH_BRIDGE) && defined(WITH_TLS)
--- a/src/mosquitto_broker_internal.h
+++ b/src/mosquitto_broker_internal.h
@ -620,6 +620,7 @@ struct mosquitto__bridge{
 #ifdef WITH_TLS
 	bool tls_insecure;
 	bool tls_ocsp_required;
+	bool tls_use_os_certs;
 	char *tls_cafile;
 	char *tls_capath;
 	char *tls_certfile;