Question: Is enable_server_cert_auth same as insecure?

eclipse / paho.mqtt.rust

paho.mqtt.rust

Other

511 stars 102 forks source link

Question: Is enable_server_cert_auth same as insecure? #231

Closed krishnaTORQUE closed 1 month ago

krishnaTORQUE commented 1 month ago

Is enable_server_cert_auth same as --insecure?

let ssl_opt: SslOptions = SslOptionsBuilder::new()
        .ca_path("ca.crt")
        .map_err(|e| error!("Mqtt ssl fail: {}", e))
        .unwrap()
        .enable_server_cert_auth(false) <-- here
        .finalize();

Is this equivalent to mosquitto_sub --insecure --cafile ca.crt -h mqtt.example.com -p 8883?

fpagliughi commented 1 month ago

I have no idea what is coded in mosquitto. But the source code is available if you want to look: https://github.com/eclipse/mosquitto

This library calls the upstream Paho C library, which uses OpenSSL for the secure sockets. The enable_server_cert_auth() just comes down to a single call (SSLSocket.c:724):

if (opts->enableServerCertAuth)
    SSL_CTX_set_verify(net->ctx, SSL_VERIFY_PEER, NULL);

Full details are available here: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_verify.html

krishnaTORQUE commented 1 month ago

Thanks

That is absolutely correct.

Confusion is this command working.

mosquitto_sub -h mqtt.example.com -p 8883 -u user -P pass -t '#' --cafile ca.crt -d

While mqtt paho for rust not working.

let ssl_opt: SslOptions = SslOptionsBuilder::new()
        .ca_path("/path/to/ca.crt")
        .map_err(|e| error!("Mqtt ca.crt error: {}", e))
        .unwrap()
        .finalize()

Error [-1] TCP/TLS connect failure

krishnaTORQUE commented 1 month ago

Changing from ca_path to trust_store resolved the issue.