New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Regression: Mosquitto client connects without verifying broker CA file #2130
Milestone
Comments
Thanks for the report. I'm preparing releases with this fix in. |
Thank you very much for the quick reaction and fix! I run further tests with new library 1.6.14 and observed further "unexpected connect" I did following:
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hello,
with mosquitto 1.6.12 and openssl 1.0.2g I have an issue with TLS handshake. The handshake is performed even with an empty ca file. It seems like this behaviour was introduced since 1.5.7
Steps to reproduce:
--> After starting the example project, the call of mosquitto_connect_async will fail and it returns 8 (A TLS error occurred.). Also error message "Error: Unable to load CA certificates, check cafile "InvalidCa.crt"." is logged.
--> Then mosquitto_loop_start is called. Mosquitto will connect to the broker without complaining about the invalid ca file and without verifying the peer.
If mosquitto 1.4.12 is used, mosquitto client library will constantly try to reconnect to the broker after calling mosquitto_loop_start. This is the required behaviour for my use case.
For me it seems like that initialisation is skipped in case of reconnect due to following code path:
mosquitto/lib/net_mosq.c
Line 462 in a2d4535
Example program:
Output of example program:
Best regards
The text was updated successfully, but these errors were encountered: