Duplicate sections in mosquitto.conf

[dylanhart]

The SSL/TLS sections in the example mosquitto.conf seem to duplicated (possibly in error):

• mosquitto/mosquitto.conf

  Lines 196 to 292 in f6f5090

  	# -----------------------------------------------------------------
  	# Certificate based SSL/TLS support
  	# -----------------------------------------------------------------
  	# The following options can be used to enable SSL/TLS support for
  	# this listener. Note that the recommended port for MQTT over TLS
  	# is 8883, but this must be set manually.
  	#
  	# See also the mosquitto-tls man page.
  	# At least one of cafile or capath must be defined. They both
  	# define methods of accessing the PEM encoded Certificate
  	# Authority certificates that have signed your server certificate
  	# and that you wish to trust.
  	# cafile defines the path to a file containing the CA certificates.
  	# capath defines a directory that will be searched for files
  	# containing the CA certificates. For capath to work correctly, the
  	# certificate files must have ".crt" as the file ending and you must run
  	# "openssl rehash <path to capath>" each time you add/remove a certificate.
  	#cafile
  	#capath
  	# Path to the PEM encoded server certificate.
  	#certfile
  	# Path to the PEM encoded keyfile.
  	#keyfile
  	# This option defines the version of the TLS protocol to use for this listener.
  	# The default value allows v1.2, v1.1 and v1.0. The valid values are tlsv1.2
  	# tlsv1.1 and tlsv1.
  	#tls_version
  	# By default a TLS enabled listener will operate in a similar fashion to a
  	# https enabled web server, in that the server has a certificate signed by a CA
  	# and the client will verify that it is a trusted certificate. The overall aim
  	# is encryption of the network traffic. By setting require_certificate to true,
  	# the client must provide a valid certificate in order for the network
  	# connection to proceed. This allows access to the broker to be controlled
  	# outside of the mechanisms provided by MQTT.
  	#require_certificate false
  	# If require_certificate is true, you may set use_identity_as_username to true
  	# to use the CN value from the client certificate as a username. If this is
  	# true, the password_file option will not be used for this listener.
  	# This takes priority over use_subject_as_username.
  	# See also use_subject_as_username.
  	#use_identity_as_username false
  	# If require_certificate is true, you may set use_subject_as_username to true
  	# to use the complete subject value from the client certificate as a username.
  	# If this is true, the password_file option will not be used for this listener.
  	# See also use_identity_as_username
  	#use_subject_as_username false
  	# If you have require_certificate set to true, you can create a certificate
  	# revocation list file to revoke access to particular client certificates. If
  	# you have done this, use crlfile to point to the PEM encoded revocation file.
  	#crlfile
  	# If you wish to control which encryption ciphers are used, use the ciphers
  	# option. The list of available ciphers can be obtained using the "openssl
  	# ciphers" command and should be provided in the same format as the output of
  	# that command.
  	# If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
  	#ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
  	# -----------------------------------------------------------------
  	# Pre-shared-key based SSL/TLS support
  	# -----------------------------------------------------------------
  	# The following options can be used to enable PSK based SSL/TLS support for
  	# this listener. Note that the recommended port for MQTT over TLS is 8883, but
  	# this must be set manually.
  	#
  	# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
  	# support" section. Only one of certificate or PSK encryption support can be
  	# enabled for any listener.
  	# The psk_hint option enables pre-shared-key support for this listener and also
  	# acts as an identifier for this listener. The hint is sent to clients and may
  	# be used locally to aid authentication. The hint is a free form string that
  	# doesn't have much meaning in itself, so feel free to be creative.
  	# If this option is provided, see psk_file to define the pre-shared keys to be
  	# used or create a security plugin to handle them.
  	#psk_hint
  	# Set use_identity_as_username to have the psk identity sent by the client used
  	# as its username. Authentication will be carried out using the PSK rather than
  	# the MQTT username/password and so password_file will not be used for this
  	# listener.
  	#use_identity_as_username false
  	# When using PSK, the encryption ciphers used will be chosen from the list of
  	# available PSK ciphers. If you want to control which ciphers are available,
  	# use the "ciphers" option. The list of available ciphers can be obtained
  	# using the "openssl ciphers" command and should be provided in the same format
  	# as the output of that command.
  	#ciphers

• mosquitto/mosquitto.conf

  Lines 348 to 432 in f6f5090

  	# -----------------------------------------------------------------
  	# Certificate based SSL/TLS support
  	# -----------------------------------------------------------------
  	# The following options can be used to enable certificate based SSL/TLS support
  	# for this listener. Note that the recommended port for MQTT over TLS is 8883,
  	# but this must be set manually.
  	#
  	# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS
  	# support" section. Only one of certificate or PSK encryption support can be
  	# enabled for any listener.
  	# At least one of cafile or capath must be defined to enable certificate based
  	# TLS encryption. They both define methods of accessing the PEM encoded
  	# Certificate Authority certificates that have signed your server certificate
  	# and that you wish to trust.
  	# cafile defines the path to a file containing the CA certificates.
  	# capath defines a directory that will be searched for files
  	# containing the CA certificates. For capath to work correctly, the
  	# certificate files must have ".crt" as the file ending and you must run
  	# "openssl rehash <path to capath>" each time you add/remove a certificate.
  	#cafile
  	#capath
  	# Path to the PEM encoded server certificate.
  	#certfile
  	# Path to the PEM encoded keyfile.
  	#keyfile
  	# By default an TLS enabled listener will operate in a similar fashion to a
  	# https enabled web server, in that the server has a certificate signed by a CA
  	# and the client will verify that it is a trusted certificate. The overall aim
  	# is encryption of the network traffic. By setting require_certificate to true,
  	# the client must provide a valid certificate in order for the network
  	# connection to proceed. This allows access to the broker to be controlled
  	# outside of the mechanisms provided by MQTT.
  	#require_certificate false
  	# If require_certificate is true, you may set use_identity_as_username to true
  	# to use the CN value from the client certificate as a username. If this is
  	# true, the password_file option will not be used for this listener.
  	#use_identity_as_username false
  	# If you have require_certificate set to true, you can create a certificate
  	# revocation list file to revoke access to particular client certificates. If
  	# you have done this, use crlfile to point to the PEM encoded revocation file.
  	#crlfile
  	# If you wish to control which encryption ciphers are used, use the ciphers
  	# option. The list of available ciphers can be optained using the "openssl
  	# ciphers" command and should be provided in the same format as the output of
  	# that command.
  	#ciphers
  	# -----------------------------------------------------------------
  	# Pre-shared-key based SSL/TLS support
  	# -----------------------------------------------------------------
  	# The following options can be used to enable PSK based SSL/TLS support for
  	# this listener. Note that the recommended port for MQTT over TLS is 8883, but
  	# this must be set manually.
  	#
  	# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
  	# support" section. Only one of certificate or PSK encryption support can be
  	# enabled for any listener.
  	# The psk_hint option enables pre-shared-key support for this listener and also
  	# acts as an identifier for this listener. The hint is sent to clients and may
  	# be used locally to aid authentication. The hint is a free form string that
  	# doesn't have much meaning in itself, so feel free to be creative.
  	# If this option is provided, see psk_file to define the pre-shared keys to be
  	# used or create a security plugin to handle them.
  	#psk_hint
  	# Set use_identity_as_username to have the psk identity sent by the client used
  	# as its username. Authentication will be carried out using the PSK rather than
  	# the MQTT username/password and so password_file will not be used for this
  	# listener.
  	#use_identity_as_username false
  	# When using PSK, the encryption ciphers used will be chosen from the list of
  	# available PSK ciphers. If you want to control which ciphers are available,
  	# use the "ciphers" option. The list of available ciphers can be optained
  	# using the "openssl ciphers" command and should be provided in the same format
  	# as the output of that command.
  	#ciphers

Is this to signify that each extra listener can have it's own SSL/TLS settings?

[toast-uz]

Exactly!

[toast-uz]

Is this to signify that each extra listener can have it's own SSL/TLS settings?

maybe I think so.
The delimiter is '-' at the SSL/TLS section, while '=' at the listener section. It's the evidence of difference of sub-hierarchies.

[dylanhart]

Maybe the lower section could be a shorter blurb on how the same settings can be applied? In its current state, the file is easy to get lost in. Also it seems that they aren't exactly 1-to-1 with information.