Permit cafile and capath to be NULL when MOSQ_OPT_TLS_USE_OS_CERTS is set

[RLeclair]

Hi,

In order for Mosquitto MQTT to use OS certs, MOSQ_OPT_TLS_USE_OS_CERTS needs to be set. This works fine, however, if the user needs to set certfile and keyfile using mosquitto_tls_set, they will be forced to specify either cafile or capath despite using OS certs. Right now, the workaround is to specify an arbitrary string for capath which will be ignored.

Would it be possible to enable these arguments (cafile and capath) to be NULL if MOSQ_OPT_TLS_USE_OS_CERTS is set?

Thanks for your help.

[rickvargas]

The use of MOSQ_OPT_TLS_USE_OS_CERTS (--tls-use-os-certs for mosquitto commands) seems not to work on some setups. On the lib, it uses SSL_CTX_set_default_verify_paths, as from the man, it says:

SSL_CTX_set_default_verify_paths() specifies that the default locations from which CA certificates are loaded should be used. There is one default directory, one default file and one default store. [...] Alternatively the SSL_CERT_DIR environment variable can be defined to override this location. The default CA certificates file is called cert.pem in the default OpenSSL directory. Alternatively the SSL_CERT_FILE environment variable can be defined to override this location.

Also, note that the lib doesn't check for success/failure as the man specifies that can happen:

SSL_CTX_set_default_verify_paths() [...] return 1 on success or 0 on failure. A missing default location is still treated as a success.

I tried exporting SSL_CERT_DIR but it didn't make it work. Still figuring it out, but the simplest way to go is to set the cafile as your /etc/ssl/certs/ca-certificates.crt file (at least for OpenSSL).