search

eclipse / paho.mqtt.java

Eclipse Paho Java MQTT client library. Paho is an Eclipse IoT project.
https://eclipse.org/paho
Other
2.08k stars 879 forks source link

Require override to allow a brokers self signed certificate #1031

Closed simonboydfoley closed 5 months ago

simonboydfoley commented 5 months ago

We live in the real world and we don't control the brokers we need to connect to to pull data. We need a flag to enable a TLS connection to a broker but accept a self signed certificate on the broker server. Its a perfectly valid use case in a private network when testing 3rd party hardware where you have no control over the broker hardware.

We should have to the choice to override the certificate checks and accept self signed certificates.

An encrypted session on the wire is still better than clear text.

Intransigence on this requirement promotes insecurity.

We need a flag to override the certificate checks for self signed broker certs for testing purposes.

simonboydfoley commented 5 months ago

I'll close this ticket down but provide a solution that worked for me that appears to be undocumented, so people in future can find the workaround.

The documented " cert_reqs=None"

client.tls_set(ca_certs=None, certfile=None, keyfile=None, tls_version=2, cert_reqs=None);

Fails with a server side verification check on the certificate when its self signed;

"ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)"

client.tls_insecure_set(True); Does not prevent the certificate check.

However this undocumented setting does work;

client.tls_set(cert_reqs=ssl.CERT_NONE);

Hope this helps people.