Fix TLS bridge/lib incorrectly connecting on invalid CA file.

Closes #2130. Thanks to becz.

ChangeLog.txt

@@ -1,7 +1,29 @@
+1.6.14 - 2021-02-04
+===================
+
+Security:
+- If an empty or invalid CA file was provided to the client library for
+ verifying the remote broker, then the initial connection would fail but
+ subsequent connections would succeed without verifying the remote broker
+ certificate. Closes #2130.
+- If an empty or invalid CA file was provided to the broker for verifying the
+ remote broker for an outgoing bridge connection then the initial connection
+ would fail but subsequent connections would succeed without verifying the
+ remote broker certificate. Closes #2130.
+
+Broker:
+- Fix encrypted bridge connections incorrectly connecting when `bridge_cafile`
+ is empty or invalid. Closes #2130.
+
+Client library:
+- Fix encrypted connections incorrectly connecting when the CA file passed to
+ `mosquitto_tls_set()` is empty or invalid. Closes #2130.
+
 Clients:
 - Fix possible loss of data in `mosquitto_pub -l` when sending multiple long
  lines. Closes #2078.
 
+
 1.6.13 - 2021-02-04
 ===================
 

lib/mosquitto.c

@@ -196,6 +196,7 @@ int mosquitto_reinitialise(struct mosquitto *mosq, const char *id, bool clean_st
 #ifdef WITH_TLS
  mosq->ssl = NULL;
  mosq->ssl_ctx = NULL;
+ mosq->ssl_ctx_defaults = true;
  mosq->tls_cert_reqs = SSL_VERIFY_PEER;
  mosq->tls_insecure = false;
  mosq->want_write = false;

src/bridge.c

@@ -90,6 +90,7 @@ int bridge__new(struct mosquitto_db *db, struct mosquitto__bridge *bridge)
  new_context->tls_alpn = new_context->bridge->tls_alpn;
  new_context->tls_engine = db->config->default_listener.tls_engine;
  new_context->tls_keyform = db->config->default_listener.tls_keyform;
+ new_context->ssl_ctx_defaults = true;
 #ifdef FINAL_WITH_TLS_PSK
  new_context->tls_psk_identity = new_context->bridge->tls_psk_identity;
  new_context->tls_psk = new_context->bridge->tls_psk;