github
/
mosquitto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix TLS bridge/lib incorrectly connecting on invalid CA file.

Browse Source 
Closes #2130. Thanks to becz.
pull/2166/head
Roger A. Light 5 years ago
parent ace2aa764e
commit b7a08d5c40
3 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File

20
ChangeLog.txt
Unescape Escape View File

@ -1,13 +1,29 @@
2.0.9 - 2021-03-xx 2.0.9 - 2021-03-11
================== ==================
Broker: Security:
- If an empty or invalid CA file was provided to the client library for
verifying the remote broker, then the initial connection would fail but
subsequent connections would succeed without verifying the remote broker
certificate. Closes #2130.
- If an empty or invalid CA file was provided to the broker for verifying the
remote broker for an outgoing bridge connection then the initial connection
would fail but subsequent connections would succeed without verifying the
remote broker certificate. Closes #2130.
Broker:
- Fix encrypted bridge connections incorrectly connecting when `bridge_cafile`
is empty or invalid. Closes #2130.
- Fix `tls_version` behaviour not matching documentation. It was setting the - Fix `tls_version` behaviour not matching documentation. It was setting the
exact TLS version to use, not the minimium TLS version to use. Closes #2110. exact TLS version to use, not the minimium TLS version to use. Closes #2110.
- Fix messages to `$` prefixed topics being rejected. Closes #2111. - Fix messages to `$` prefixed topics being rejected. Closes #2111.
- Fix QoS 0 messages not being delivered when max_queued_bytes was configured. - Fix QoS 0 messages not being delivered when max_queued_bytes was configured.
Closes #2123. Closes #2123.
Client library:
- Fix encrypted connections incorrectly connecting when the CA file passed to
`mosquitto_tls_set()` is empty or invalid. Closes #2130.
Build: Build:
- Fix cmake epoll detection. - Fix cmake epoll detection.

1
lib/mosquitto.c
Unescape Escape View File

@ -196,6 +196,7 @@ int mosquitto_reinitialise(struct mosquitto *mosq, const char *id, bool clean_st
#ifdef WITH_TLS #ifdef WITH_TLS
mosq->ssl = NULL; mosq->ssl = NULL;
mosq->ssl_ctx = NULL; mosq->ssl_ctx = NULL;
mosq->ssl_ctx_defaults = true;
mosq->tls_cert_reqs = SSL_VERIFY_PEER; mosq->tls_cert_reqs = SSL_VERIFY_PEER;
mosq->tls_insecure = false; mosq->tls_insecure = false;
mosq->want_write = false; mosq->want_write = false;

1
src/bridge.c
Unescape Escape View File

@ -112,6 +112,7 @@ int bridge__new(struct mosquitto__bridge *bridge)
new_context->tls_alpn = new_context->bridge->tls_alpn; new_context->tls_alpn = new_context->bridge->tls_alpn;
new_context->tls_engine = db.config->default_listener.tls_engine; new_context->tls_engine = db.config->default_listener.tls_engine;
new_context->tls_keyform = db.config->default_listener.tls_keyform; new_context->tls_keyform = db.config->default_listener.tls_keyform;
new_context->ssl_ctx_defaults = true;
#ifdef FINAL_WITH_TLS_PSK #ifdef FINAL_WITH_TLS_PSK
new_context->tls_psk_identity = new_context->bridge->tls_psk_identity; new_context->tls_psk_identity = new_context->bridge->tls_psk_identity;
new_context->tls_psk = new_context->bridge->tls_psk; new_context->tls_psk = new_context->bridge->tls_psk;

Write Preview
Loading…
Cancel
Save