For TLS connections, how can I set TLSSettings?

[jbwdevries]

e.g. for setting custom CA certificates to use.

From what I can tell, this library uses tlsClientConfig, which only uses the TLSSettings default value.

[dustin]

Hmm... I was wondering how this might work, but haven't needed it myself. It's definitely something I need to consider.

I may need to abstract TLS settings in such a way I can supply TLS settings for both mqtts and wss since doing it from the URI is kind of hard.

In the meantime, I did expose the lower-level conduit mechanism. mqtts translates approximately torunClientTLS which is implemented like this:

-- | Set up and run a client connected via TLS.
runClientTLS :: MQTTConfig -> IO MQTTClient
runClientTLS cfg@MQTTConfig{..} = tcpCompat (runTLSClient (tlsClientConfig _port (BCS.pack _hostname))) cfg

-- Compatibility mechanisms for TCP Conduit bits.
tcpCompat :: ((AppData -> IO ()) -> IO ()) -> MQTTConfig -> IO MQTTClient
tcpCompat mkconn = runMQTTConduit (adapt mkconn)
  where adapt mk f = mk (f . adaptor)
        adaptor ad = (appSource ad, appSink ad)

[dustin]

I filed snoyberg/conduit/issues/423 for this. I don't see how I'd actually supply this to the underlying conduit TLS connector.

[jbwdevries]

I figured you could use the TLSClientConfig constructor instead of the tlsClientConfig helper method

[dustin]

I added _tlsSettings :: TLSSettings to the MQTTConfig type and plumbed that through for both mqtts:// and wss:// connections. It's TLSSettings so you should be able to either a simple or full set of settings to configure the TLS bits of your client.

Let me know how this works!

[jbwdevries]

Can confirm this works as expected. Thanks!

[AleXoundOS]

For those, inexperienced like me, you need to populate ClientHooks with appropriate onCertificateRequest and onServerCertificate functions like here: https://stackoverflow.com/a/40082394/1663197.