Bridge connection to tls broker without bridge_capath or bridge_cafile

eclipse / mosquitto

Eclipse Mosquitto - An open source MQTT broker

https://mosquitto.org

Other

8.97k stars 2.38k forks source link

Bridge connection to tls broker without bridge_capath or bridge_cafile #2473

Open UtechtDustin opened 2 years ago

UtechtDustin commented 2 years ago

I tried to connect a mosquitto broker as bridge to a other mosquitto broker with tls activated. Now i saw this part in the documentation:

One of bridge_cafile or bridge_capath must be provided to allow SSL/TLS support.

So i have the question: Why do i need that ?! Why can't mosquitto check the system certificates (on linux /etc/ssl/certs) if no option is set ? Is this requirement really needed ?

karlp commented 2 years ago

It can use the system ca path, but it doesn't know where your system ca path is.

UtechtDustin commented 2 years ago

The question is, why it doesn't know where the system ca path is ? Each OS have one default path, so it could check path or im wrong ?

ralight commented 2 years ago

This is a point of policy - the end user has to explicitly choose which certificate authorities to trust. This isn't the same situation as a web browser where you need to trust a large quantity of certificate authorities to be able to do anything useful. You are connecting to a single or very few addresses.

I've added an option so you can more easily use the default certs, but you still have to make that decision.