diff --git a/ChangeLog.txt b/ChangeLog.txt index eee6a85b95..d6103a7a56 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -1,3 +1,25 @@ +1.5.11 - 2021-02-04 +=================== + +Security: +- If an empty or invalid CA file was provided to the client library for + verifying the remote broker, then the initial connection would fail but + subsequent connections would succeed without verifying the remote broker + certificate. Closes #2130. +- If an empty or invalid CA file was provided to the broker for verifying the + remote broker for an outgoing bridge connection then the initial connection + would fail but subsequent connections would succeed without verifying the + remote broker certificate. Closes #2130. + +Broker: +- Fix encrypted bridge connections incorrectly connecting when `bridge_cafile` + is empty or invalid. Closes #2130. + +Client library: +- Fix encrypted connections incorrectly connecting when the CA file passed to + `mosquitto_tls_set()` is empty or invalid. Closes #2130. + + 1.5.10 - 2020-08-19 =================== diff --git a/lib/mosquitto.c b/lib/mosquitto.c index f27b9546d2..265d9d432e 100644 --- a/lib/mosquitto.c +++ b/lib/mosquitto.c @@ -190,6 +190,7 @@ int mosquitto_reinitialise(struct mosquitto *mosq, const char *id, bool clean_se #ifdef WITH_TLS mosq->ssl = NULL; mosq->ssl_ctx = NULL; + mosq->ssl_ctx_defaults = true; mosq->tls_cert_reqs = SSL_VERIFY_PEER; mosq->tls_insecure = false; mosq->want_write = false; diff --git a/src/bridge.c b/src/bridge.c index 03d284ffb8..df9ebbcf20 100644 --- a/src/bridge.c +++ b/src/bridge.c @@ -82,6 +82,7 @@ int bridge__new(struct mosquitto_db *db, struct mosquitto__bridge *bridge) new_context->tls_cert_reqs = SSL_VERIFY_PEER; new_context->tls_version = new_context->bridge->tls_version; new_context->tls_insecure = new_context->bridge->tls_insecure; + new_context->ssl_ctx_defaults = true; #ifdef FINAL_WITH_TLS_PSK new_context->tls_psk_identity = new_context->bridge->tls_psk_identity; new_context->tls_psk = new_context->bridge->tls_psk;