From 84f4679c4ddcc90948b5da29f62e85022b3a7259 Mon Sep 17 00:00:00 2001 From: "Roger A. Light" Date: Thu, 11 Mar 2021 12:15:46 +0000 Subject: [PATCH] Fix TLS bridge/lib incorrectly connecting on invalid CA file. Closes #2130. Thanks to becz. --- ChangeLog.txt | 22 ++++++++++++++++++++++ lib/mosquitto.c | 1 + src/bridge.c | 1 + 3 files changed, 24 insertions(+) diff --git a/ChangeLog.txt b/ChangeLog.txt index 8231c01d87..9f760e5970 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -1,7 +1,29 @@ +1.6.14 - 2021-02-04 +=================== + +Security: +- If an empty or invalid CA file was provided to the client library for + verifying the remote broker, then the initial connection would fail but + subsequent connections would succeed without verifying the remote broker + certificate. Closes #2130. +- If an empty or invalid CA file was provided to the broker for verifying the + remote broker for an outgoing bridge connection then the initial connection + would fail but subsequent connections would succeed without verifying the + remote broker certificate. Closes #2130. + +Broker: +- Fix encrypted bridge connections incorrectly connecting when `bridge_cafile` + is empty or invalid. Closes #2130. + +Client library: +- Fix encrypted connections incorrectly connecting when the CA file passed to + `mosquitto_tls_set()` is empty or invalid. Closes #2130. + Clients: - Fix possible loss of data in `mosquitto_pub -l` when sending multiple long lines. Closes #2078. + 1.6.13 - 2021-02-04 =================== diff --git a/lib/mosquitto.c b/lib/mosquitto.c index 26931ad3f4..67fa2e2da0 100644 --- a/lib/mosquitto.c +++ b/lib/mosquitto.c @@ -196,6 +196,7 @@ int mosquitto_reinitialise(struct mosquitto *mosq, const char *id, bool clean_st #ifdef WITH_TLS mosq->ssl = NULL; mosq->ssl_ctx = NULL; + mosq->ssl_ctx_defaults = true; mosq->tls_cert_reqs = SSL_VERIFY_PEER; mosq->tls_insecure = false; mosq->want_write = false; diff --git a/src/bridge.c b/src/bridge.c index c951c8c392..0455891299 100644 --- a/src/bridge.c +++ b/src/bridge.c @@ -90,6 +90,7 @@ int bridge__new(struct mosquitto_db *db, struct mosquitto__bridge *bridge) new_context->tls_alpn = new_context->bridge->tls_alpn; new_context->tls_engine = db->config->default_listener.tls_engine; new_context->tls_keyform = db->config->default_listener.tls_keyform; + new_context->ssl_ctx_defaults = true; #ifdef FINAL_WITH_TLS_PSK new_context->tls_psk_identity = new_context->bridge->tls_psk_identity; new_context->tls_psk = new_context->bridge->tls_psk;