mqtt integration: setting TLS settings only if client certificate is set?

[stevenengland]

The problem

Hi there,

this is regarding the line https://github.com/home-assistant/core/blob/94916ebbd184fe77e7efa6915a5ab28000047fb9/homeassistant/components/mqtt/client.py#L343

Doesn't that mean that

tls_version
tls_insecure

are only set if

CONF_CERTIFICATE

is also set? Shouldn't these options be set regardless of a client certificate being used?

Maybe this leads to errors like I face and that I described here: https://community.home-assistant.io/t/mqtt-integration-errno-104-connection-reset-by-peer/770346

What version of Home Assistant Core has the issue?

latest

What was the last working version of Home Assistant Core?

latest

What type of installation are you running?

Home Assistant OS

Integration causing the issue

mqtt

Link to integration documentation on our website

No response

Diagnostics information

No response

Example YAML snippet

No response

Anything in the logs that might be useful for us?

No response

Additional information

No response

[home-assistant[bot]]

Hey there @emontnemery, @jbouwh, @bdraco, mind taking a look at this issue as it has been labeled with an integration (mqtt) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of `mqtt` can trigger bot actions by commenting: - `@home-assistant close` Closes the issue. - `@home-assistant rename Awesome new title` Renames the issue. - `@home-assistant reopen` Reopen the issue. - `@home-assistant unassign mqtt` Removes the current integration label and assignees on the issue, add the integration domain after the command. - `@home-assistant add-label needs-more-information` Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue. - `@home-assistant remove-label needs-more-information` Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

_{^{(message by CodeOwnersMention)}}

---

mqtt documentation mqtt source _{^{(message by IssueLinks)}}

[jbouwh]

There are multiple settings. The first is a certificate is expected (default is off). Then the root certificate can be installed, or if set to automatic, the certificate is expected to be trusted.

The validation of the certificate it self can be ignored. E.g. if there is an issue with the trust chain.

Then there is an option to use a client certificate for authentication. This only works of the broker has a secure connection. This option is not required. So you can have a username password with a secure connection, a client certificate or both.

[stevenengland]

Hi @jbouwh thanks for jumping in. But I am not sure if I correctly understand your explaination. What I need is the following:

• connection to the external MQTT broker (Mosquitto sitting on another host)
• connection needs TLS (only for encryption, not to generate trust), therefore:
• no client certificate in the game
• broker certificate shall not be validated

This is what this would look like in MQTT Explorer:

Is this covered by the current implementation HA?

From what I see so far I would say no. Here is why I think so:

• Start the flow I need: https://github.com/home-assistant/core/blob/a24db20c649e0746605582d4ee79e90440b9c3c9/homeassistant/components/mqtt/config_flow.py#L359
• Try to connect with the settings I provided: https://github.com/home-assistant/core/blob/a24db20c649e0746605582d4ee79e90440b9c3c9/homeassistant/components/mqtt/config_flow.py#L488
• Prepare a MQTT client: https://github.com/home-assistant/core/blob/a24db20c649e0746605582d4ee79e90440b9c3c9/homeassistant/components/mqtt/config_flow.py#L1049
• Within the MQTT client setup I see that the options for
• • tls_insecure is only used if a certificate is given: https://github.com/home-assistant/core/blob/a24db20c649e0746605582d4ee79e90440b9c3c9/homeassistant/components/mqtt/client.py#L352
• • tls_version is only used if a certificate is given: https://github.com/home-assistant/core/blob/a24db20c649e0746605582d4ee79e90440b9c3c9/homeassistant/components/mqtt/client.py#L348C17-L348C28

Am I mistaken here? Where else are these options set that I think I need for my setup?

Kind regards!

[jbouwh]

If the certificate on your broker is self signed. Use the CA certificate and upload it. You can leave validation on.

[stevenengland]

And what about not setting a cert at all? Would that be a valid feature request?

[jbouwh]

IMO you do not need to turn off certificate validation is the broker certificate is trusted or if you supply the correct CA certificate (in case of a self signed certificate). There's no issue with the config flow options imo.

[stevenengland]

Okay, after reading the MQTT manual again I must admit that this flow is described there. I think my irritation origniates because I am not used to a flow that asks me for a CA if I want to use a completely untrusted but encrypted connection.

[jbouwh]

The default is not using TLS, so no broker cert validation is done, we do not need a feature for that. Why do you want an untrusted encrypted connection? If you use your own certificates, this is not needed.

[jbouwh]

About your issue description:

tls_version and tls_insecure are only used if the broker validation is set, and thus we support TLS. In other cases it does not make sense to pass a tls_version or to tell the tls connection is insecure as there is no TLS connection.

The whole idea of allowing an untrusted encrypted connection makes sense if you cannot or not want to supply the CA root cert / issuing cert. So IMO you do not need the option. But the tls_insecure option is part of the advanced settings.

I am going to close this as there is not an issue with Home Assistant Core.