Don't ask for client cert when require_certificate is false.

eclipse · Oct 7, 2014 · 4355653 · 4355653
1 parent ac00949
commit 4355653
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/ChangeLog.txt b/ChangeLog.txt
@@ -43,6 +43,9 @@ Broker:
 - Add support for use_username_as_clientid which can be used with
  authentication to restrict ownership of client ids and hence prevent one
  client disconnecting another by using the same client id.
+- When "require_certificate" was false, the broker was incorrectly asking for
+ a certificate (but not checking it). This caused problems with some clients
+ and has been fixed so the broker no longer asks.
 
 Clients:
 - Both clients can now load default configuration options from a file.

diff --git a/src/net.c b/src/net.c
@@ -425,7 +425,7 @@ int mqtt3_socket_listen(struct _mqtt3_listener *listener)
  if(listener->require_certificate){
  SSL_CTX_set_verify(listener->ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, client_certificate_verify);
  }else{
- SSL_CTX_set_verify(listener->ssl_ctx, SSL_VERIFY_PEER, client_certificate_verify);
+ SSL_CTX_set_verify(listener->ssl_ctx, SSL_VERIFY_NONE, client_certificate_verify);
  }
  rc = SSL_CTX_use_certificate_chain_file(listener->ssl_ctx, listener->certfile);
  if(rc != 1){