Fix TLS bridge/lib incorrectly connecting on invalid CA file.

Closes #2130. Thanks to becz.
eclipse · Mar 11, 2021 · b7a08d5 · b7a08d5
1 parent ace2aa7
commit b7a08d5
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 2 deletions.
diff --git a/ChangeLog.txt b/ChangeLog.txt
@@ -1,13 +1,29 @@
-2.0.9 - 2021-03-xx
+2.0.9 - 2021-03-11
 ==================
 
-Broker:
+Security:
+- If an empty or invalid CA file was provided to the client library for
+ verifying the remote broker, then the initial connection would fail but
+ subsequent connections would succeed without verifying the remote broker
+ certificate. Closes #2130.
+- If an empty or invalid CA file was provided to the broker for verifying the
+ remote broker for an outgoing bridge connection then the initial connection
+ would fail but subsequent connections would succeed without verifying the
+ remote broker certificate. Closes #2130.
+
+Broker:
+- Fix encrypted bridge connections incorrectly connecting when `bridge_cafile`
+ is empty or invalid. Closes #2130.
 - Fix `tls_version` behaviour not matching documentation. It was setting the
  exact TLS version to use, not the minimium TLS version to use. Closes #2110.
 - Fix messages to `$` prefixed topics being rejected. Closes #2111.
 - Fix QoS 0 messages not being delivered when max_queued_bytes was configured.
  Closes #2123.
 
+Client library:
+- Fix encrypted connections incorrectly connecting when the CA file passed to
+ `mosquitto_tls_set()` is empty or invalid. Closes #2130.
+
 Build:
 - Fix cmake epoll detection.
 

diff --git a/lib/mosquitto.c b/lib/mosquitto.c
@@ -196,6 +196,7 @@ int mosquitto_reinitialise(struct mosquitto *mosq, const char *id, bool clean_st
 #ifdef WITH_TLS
  mosq->ssl = NULL;
  mosq->ssl_ctx = NULL;
+ mosq->ssl_ctx_defaults = true;
  mosq->tls_cert_reqs = SSL_VERIFY_PEER;
  mosq->tls_insecure = false;
  mosq->want_write = false;

diff --git a/src/bridge.c b/src/bridge.c
@@ -112,6 +112,7 @@ int bridge__new(struct mosquitto__bridge *bridge)
  new_context->tls_alpn = new_context->bridge->tls_alpn;
  new_context->tls_engine = db.config->default_listener.tls_engine;
  new_context->tls_keyform = db.config->default_listener.tls_keyform;
+ new_context->ssl_ctx_defaults = true;
 #ifdef FINAL_WITH_TLS_PSK
  new_context->tls_psk_identity = new_context->bridge->tls_psk_identity;
  new_context->tls_psk = new_context->bridge->tls_psk;