Enable TLS with certfile+keyfile, not capath/cafile.

ChangeLog.txt

@@ -47,6 +47,8 @@ Broker:
  functions, which can be used by plugins to disconnect clients.
 - Add support for handling $CONTROL/ topics in plugins.
 - Add support for PBKDF2-SHA512 password hashing.
+- Enabling certificate based TLS encryption is now through certfile and
+ keyfile, not capath or cafile.
 
 Client library:
 - Client no longer generates random client ids for v3.1.1 clients, these are

man/mosquitto.conf.5.xml

@@ -46,7 +46,7 @@
  <para>The simplest option is to have no authentication at all. This is
  the default if no other options are given. Unauthenticated
  encrypted support is provided by using the certificate based
- SSL/TLS based options cafile/capath, certfile and keyfile.</para>
+ SSL/TLS based options certfile and keyfile.</para>
  <para>MQTT provides username/password authentication as part of the
  protocol. Use the password_file option to define the valid
  usernames and passwords. Be sure to use network encryption if you
@@ -674,7 +674,7 @@ log_timestamp_format %Y-%m-%dT%H:%M:%S
  <varlistentry>
  <term><option>memory_limit</option> <replaceable>limit</replaceable></term>
  <listitem>
- <para>
+ <para>
  This option sets the maximum number of heap memory bytes that the broker
  will allocate, and hence sets a hard limit on memory use by the broker.
  Memory requests that exceed this value will be denied. The effect will
@@ -1228,7 +1228,7 @@ log_timestamp_format %Y-%m-%dT%H:%M:%S
  <varlistentry>
  <term><option>websockets_headers_size</option> <replaceable>size</replaceable></term>
  <listitem>
- <para>Change the websockets headers size. This is a
+ <para>Change the websockets headers size. This is a
  global option, it is not possible to set per
  listener. This option sets the size of the buffer
  used in the libwebsockets library when reading HTTP
@@ -1249,33 +1249,35 @@ log_timestamp_format %Y-%m-%dT%H:%M:%S
  <varlistentry>
  <term><option>cafile</option> <replaceable>file path</replaceable></term>
  <listitem>
- <para>At least one of <option>cafile</option> or
- <option>capath</option> must be provided to enable
- SSL support.</para>
  <para><option>cafile</option> is used to define the
  path to a file containing the PEM encoded CA
- certificates that are trusted.</para>
+ certificates that are trusted when checking incoming
+ client certificates.
+ </para>
  </listitem>
  </varlistentry>
  <varlistentry>
  <term><option>capath</option> <replaceable>directory path</replaceable></term>
  <listitem>
- <para>At least one of <option>cafile</option> or
- <option>capath</option> must be provided to enable
- SSL support.</para>
  <para><option>capath</option> is used to define a
  directory that contains PEM encoded CA certificates
- that are trusted. For <option>capath</option> to
+ that are trusted when checking incoming client
+ certificates. For <option>capath</option> to
  work correctly, the certificates files must have
  ".pem" as the file ending and you must run
- "openssl rehash &lt;path to capath&gt;" each time you
- add/remove a certificate.</para>
+ "openssl rehash &lt;path to capath&gt;" each time
+ you add/remove a certificate.
+ </para>
  </listitem>
  </varlistentry>
  <varlistentry>
  <term><option>certfile</option> <replaceable>file path</replaceable></term>
  <listitem>
- <para>Path to the PEM encoded server certificate.</para>
+ <para>
+ Path to the PEM encoded server certificate. This
+ option and <option>keyfile</option> must be present
+ to enable certificate based TLS encryption.
+ </para>
  </listitem>
  </varlistentry>
  <varlistentry>
@@ -1312,7 +1314,11 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
  <varlistentry>
  <term><option>keyfile</option> <replaceable>file path</replaceable></term>
  <listitem>
- <para>Path to the PEM encoded keyfile.</para>
+ <para>
+ Path to the PEM encoded server key. This
+ option and <option>certfile</option> must be present
+ to enable certificate based TLS encryption.
+ </para>
  </listitem>
  </varlistentry>
  <varlistentry>

mosquitto.conf

@@ -460,25 +460,15 @@
 # support" section. Only one of certificate or PSK encryption support can be
 # enabled for any listener.
 
-# At least one of cafile or capath must be defined to enable certificate based
-# TLS encryption. They both define methods of accessing the PEM encoded
-# Certificate Authority certificates that have signed your server certificate
-# and that you wish to trust.
-# cafile defines the path to a file containing the CA certificates.
-# capath defines a directory that will be searched for files
-# containing the CA certificates. For capath to work correctly, the
-# certificate files must have ".crt" as the file ending and you must run
-# "openssl rehash <path to capath>" each time you add/remove a certificate.
-#cafile
-#capath
+# Both of certfile and keyfile must be defined to enable certificate based
+# TLS encryption.
 
 # Path to the PEM encoded server certificate.
 #certfile
 
 # Path to the PEM encoded keyfile.
 #keyfile
 
-
 # If you wish to control which encryption ciphers are used, use the ciphers
 # option. The list of available ciphers can be optained using the "openssl
 # ciphers" command and should be provided in the same format as the output of
@@ -505,6 +495,18 @@
 # outside of the mechanisms provided by MQTT.
 #require_certificate false
 
+# cafile and capath define methods of accessing the PEM encoded
+# Certificate Authority certificates that will be considered trusted when
+# checking incoming client certificates.
+# cafile defines the path to a file containing the CA certificates.
+# capath defines a directory that will be searched for files
+# containing the CA certificates. For capath to work correctly, the
+# certificate files must have ".crt" as the file ending and you must run
+# "openssl rehash <path to capath>" each time you add/remove a certificate.
+#cafile
+#capath
+
+
 # If require_certificate is true, you may set use_identity_as_username to true
 # to use the CN value from the client certificate as a username. If this is
 # true, the password_file option will not be used for this listener.

src/net.c

@@ -454,17 +454,19 @@ int net__tls_load_verify(struct mosquitto__listener *listener)
  ENGINE *engine = NULL;
  int rc;
 
- rc = SSL_CTX_load_verify_locations(listener->ssl_ctx, listener->cafile, listener->capath);
- if(rc == 0){
- if(listener->cafile && listener->capath){
- log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\" and capath \"%s\".", listener->cafile, listener->capath);
- }else if(listener->cafile){
- log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\".", listener->cafile);
- }else{
- log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check capath \"%s\".", listener->capath);
+ if(listener->cafile || listener->capath){
+ rc = SSL_CTX_load_verify_locations(listener->ssl_ctx, listener->cafile, listener->capath);
+ if(rc == 0){
+ if(listener->cafile && listener->capath){
+ log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\" and capath \"%s\".", listener->cafile, listener->capath);
+ }else if(listener->cafile){
+ log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\".", listener->cafile);
+ }else{
+ log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check capath \"%s\".", listener->capath);
+ }
+ net__print_ssl_error(NULL);
+ return 1;
  }
- net__print_ssl_error(NULL);
- return 1;
  }
  if(listener->tls_engine){
 #if !defined(OPENSSL_NO_ENGINE)
@@ -761,7 +763,7 @@ int net__socket_listen(struct mosquitto__listener *listener)
  /* We need to have at least one working socket. */
  if(listener->sock_count > 0){
 #ifdef WITH_TLS
- if((listener->cafile || listener->capath) && listener->certfile && listener->keyfile){
+ if(listener->certfile && listener->keyfile){
  if(net__tls_server_ctx(listener)){
  return 1;
  }

src/security_default.c

@@ -1051,7 +1051,7 @@ int mosquitto_security_apply_default(struct mosquitto_db *db)
 #ifdef WITH_TLS
  for(i=0; i<db->config->listener_count; i++){
  listener = &db->config->listeners[i];
- if(listener && listener->ssl_ctx && (listener->cafile || listener->capath) && listener->crlfile && listener->require_certificate){
+ if(listener && listener->ssl_ctx && listener->certfile && listener->keyfile && listener->crlfile && listener->require_certificate){
  if(net__tls_server_ctx(listener)){
  return 1;
  }

test/unit/Makefile

@@ -24,6 +24,7 @@ TEST_OBJS = test.o \
  utf8.o
 
 LIB_OBJS = memory_mosq.o \
+ memory_public.o \
  misc_mosq.o \
  packet_datatypes.o \
  property_mosq.o \
@@ -38,6 +39,7 @@ BRIDGE_TOPIC_TEST_OBJS = \
 BRIDGE_TOPIC_OBJS = \
  bridge_topic.o \
  memory_mosq.o \
+ memory_public.o \
  util_topic.o \
 
 PERSIST_READ_TEST_OBJS = \
@@ -46,6 +48,7 @@ PERSIST_READ_TEST_OBJS = \
 
 PERSIST_READ_OBJS = \
  memory_mosq.o \
+ memory_public.o \
  misc_mosq.o \
  packet_datatypes.o \
  persist_read.o \
@@ -64,6 +67,7 @@ PERSIST_WRITE_TEST_OBJS = \
 PERSIST_WRITE_OBJS = \
  database.o \
  memory_mosq.o \
+ memory_public.o \
  misc_mosq.o \
  packet_datatypes.o \
  persist_read.o \
@@ -85,6 +89,7 @@ SUBS_TEST_OBJS = \
 SUBS_OBJS = \
  database.o \
  memory_mosq.o \
+ memory_public.o \
  subs.o \
  topic_tok.o
 
@@ -117,6 +122,9 @@ database.o : ../../src/database.c
 memory_mosq.o : ../../lib/memory_mosq.c
  $(CROSS_COMPILE)$(CC) $(CPPFLAGS) $(CFLAGS) -c -o $@ $^
 
+memory_public.o : ../../src/memory_public.c
+ $(CROSS_COMPILE)$(CC) $(CPPFLAGS) $(CFLAGS) -c -o $@ $^
+
 misc_mosq.o : ../../lib/misc_mosq.c
  $(CROSS_COMPILE)$(CC) $(CPPFLAGS) $(CFLAGS) -c -o $@ $^