From b7a08d5c406829a3da89bb105f18332755498ee9 Mon Sep 17 00:00:00 2001 From: "Roger A. Light" Date: Thu, 11 Mar 2021 12:45:04 +0000 Subject: [PATCH] Fix TLS bridge/lib incorrectly connecting on invalid CA file. Closes #2130. Thanks to becz. --- ChangeLog.txt | 20 ++++++++++++++++++-- lib/mosquitto.c | 1 + src/bridge.c | 1 + 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/ChangeLog.txt b/ChangeLog.txt index 47bda05641..ca5eccf4d0 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -1,13 +1,29 @@ -2.0.9 - 2021-03-xx +2.0.9 - 2021-03-11 ================== -Broker: +Security: +- If an empty or invalid CA file was provided to the client library for + verifying the remote broker, then the initial connection would fail but + subsequent connections would succeed without verifying the remote broker + certificate. Closes #2130. +- If an empty or invalid CA file was provided to the broker for verifying the + remote broker for an outgoing bridge connection then the initial connection + would fail but subsequent connections would succeed without verifying the + remote broker certificate. Closes #2130. + +Broker: +- Fix encrypted bridge connections incorrectly connecting when `bridge_cafile` + is empty or invalid. Closes #2130. - Fix `tls_version` behaviour not matching documentation. It was setting the exact TLS version to use, not the minimium TLS version to use. Closes #2110. - Fix messages to `$` prefixed topics being rejected. Closes #2111. - Fix QoS 0 messages not being delivered when max_queued_bytes was configured. Closes #2123. +Client library: +- Fix encrypted connections incorrectly connecting when the CA file passed to + `mosquitto_tls_set()` is empty or invalid. Closes #2130. + Build: - Fix cmake epoll detection. diff --git a/lib/mosquitto.c b/lib/mosquitto.c index 0dd4ac01fe..0d53f2e5c7 100644 --- a/lib/mosquitto.c +++ b/lib/mosquitto.c @@ -196,6 +196,7 @@ int mosquitto_reinitialise(struct mosquitto *mosq, const char *id, bool clean_st #ifdef WITH_TLS mosq->ssl = NULL; mosq->ssl_ctx = NULL; + mosq->ssl_ctx_defaults = true; mosq->tls_cert_reqs = SSL_VERIFY_PEER; mosq->tls_insecure = false; mosq->want_write = false; diff --git a/src/bridge.c b/src/bridge.c index d10d12696b..f5158dba6a 100644 --- a/src/bridge.c +++ b/src/bridge.c @@ -112,6 +112,7 @@ int bridge__new(struct mosquitto__bridge *bridge) new_context->tls_alpn = new_context->bridge->tls_alpn; new_context->tls_engine = db.config->default_listener.tls_engine; new_context->tls_keyform = db.config->default_listener.tls_keyform; + new_context->ssl_ctx_defaults = true; #ifdef FINAL_WITH_TLS_PSK new_context->tls_psk_identity = new_context->bridge->tls_psk_identity; new_context->tls_psk = new_context->bridge->tls_psk;