Closed simonboydfoley closed 5 months ago
I'll close this ticket down but provide a solution that worked for me that appears to be undocumented, so people in future can find the workaround.
The documented " cert_reqs=None"
client.tls_set(ca_certs=None, certfile=None, keyfile=None, tls_version=2, cert_reqs=None);
Fails with a server side verification check on the certificate when its self signed;
"ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)"
client.tls_insecure_set(True); Does not prevent the certificate check.
However this undocumented setting does work;
client.tls_set(cert_reqs=ssl.CERT_NONE);
Hope this helps people.
We live in the real world and we don't control the brokers we need to connect to to pull data. We need a flag to enable a TLS connection to a broker but accept a self signed certificate on the broker server. Its a perfectly valid use case in a private network when testing 3rd party hardware where you have no control over the broker hardware.
We should have to the choice to override the certificate checks and accept self signed certificates.
An encrypted session on the wire is still better than clear text.
Intransigence on this requirement promotes insecurity.
We need a flag to override the certificate checks for self signed broker certs for testing purposes.