Server does not appear to validate client cert

[creising]

Thank you very much for creating this broker. It has been very fun to play around with! I apologize if the answer to this one is obvious.

I ran into a little bit of an issue with TLS. Specifically, requiring a valid certificate from the client. At first all went well. I added my cafile, cert, and key and set the required cert flag to true. As a test I first tried connecting my client without a cert and the server rejecting the connection as expected. I added my client certs and the server accepted my connection so all seemed to be well. Later I realized that the CA file on my server was wrong and from that CA's perspective the client's certificate should have been invalid. I then ran a second test were I remove that line entirely from my config file and the connection was still successful. Is there something else I need to configure to get the broker to check to make sure the cert is valid? It looks like it is just checking to see if a cert is present at all.

Here is my config:

port 1883

listener 8081
protocol websockets

persistence true
persistence_location /mosquitto/data/
                         
cafile /mosquitto/config/ca_certificate.pem
certfile /mosquitto/config/server_certificate.pem
keyfile /mosquitto/config/server_key.pem
require_certificate true

autosave_interval 30
autosave_on_changes false

tls_version tlsv1.2

I have been using the latest version of the docker container for testing.

Thank you for your time!

[karlp]

And what port is your client connecting to? 8081? or 1883? iirc, security settings are per listener, so you've only secured the websockets listener on 8081

[creising]

Thank you for getting back to me! Your observation is correct. I am currently testing TLS with websockets only (port 8081).