mosquitto_ctrl claims the connection is not encrypted, does nothing

eclipse-mosquitto / mosquitto

Eclipse Mosquitto - An open source MQTT broker

https://mosquitto.org

Other

9.05k stars 2.39k forks source link

mosquitto_ctrl claims the connection is not encrypted, does nothing #2541

Open sezanzeb opened 2 years ago

sezanzeb commented 2 years ago

I'm pretty sure our server is properly running with encryption, because mqtt explorer will only connection with activated encryption.

However, we get this when using mosquitto_ctrl to interact with the dynsec plugin:

mosquitto_ctrl -h qux.foo.bar -p 8883 -u *** -P *** dynsec listClients -v
Warning: You are running mosquitto_ctrl without encryption.
This means all of the configuration changes you are making are visible on the network, including passwords

Which stops after 10 seconds of doing nothing without a result.

Locally everything worked and listClients printed our administrator user.

We also know that dynsec is running properly, because the credentials we put into the dynsec config file are the only way to connect in mqtt explorer.

Versions:

uname -r
5.15.32-1-MANJARO
mosquitto_ctrl | ack version
mosquitto_ctrl version 2.0.14 running on libmosquitto 2.0.14.

sezanzeb commented 2 years ago

Downloading any cert via

openssl s_client -showcerts -connect foo:443 </dev/null > bar.cert

and then using it with

mosquitto_ctrl -h qux.foo.bar -p 8883 -u admin -P admin --cafile bar.cert dynsec listClients -v

makes the warning go away. The command doesn't seem to really check if the cert is matching. And it still exits after 10 seconds of doing nothing.

ralight commented 2 years ago

Hmm, unlike the mosquitto_*ub clients, mosquitto_ctrl doesn't automatically change to TLS mode if you use port 8883. I think that's a bug. I've not debugged your second command where it does use encrypted mode, I'll look at that later.

sezanzeb commented 2 years ago

Thanks a lot!

NicolasLM commented 2 years ago

Hey, I am also facing this problem. I tried a bunch of incantations, like mosquitto_ctrl -L mqtts://foo:bar@baz:8883/ but it seems that mosquitto_ctrl cannot connect over TLS, even when not relying on the implicit switch to TLS when using port 8883.

tka85 commented 8 months ago

Same here. Tried with -L mqtts://... and with spread params -u ... -p ... -P ....

I just get warning Warning: You are running mosquitto_ctrl without encryption. \nThis means all of the configuration changes you are making are visible on the network, including passwords. and then nothing.

Has anyone solved this? Or is the project not maintained any more?

avandorp commented 7 months ago

It works, if you connect by socket. But it still warns you about unencrypted traffic...

cyub commented 3 months ago

-o <path to options file> Configure ca certificate and other information in the specified file。more see: Using an options file