Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server does not appear to validate client cert #996

creising opened this issue Oct 25, 2018 · 2 comments


None yet
2 participants
Copy link

commented Oct 25, 2018

Thank you very much for creating this broker. It has been very fun to play around with! I apologize if the answer to this one is obvious.

I ran into a little bit of an issue with TLS. Specifically, requiring a valid certificate from the client. At first all went well. I added my cafile, cert, and key and set the required cert flag to true. As a test I first tried connecting my client without a cert and the server rejecting the connection as expected. I added my client certs and the server accepted my connection so all seemed to be well. Later I realized that the CA file on my server was wrong and from that CA's perspective the client's certificate should have been invalid. I then ran a second test were I remove that line entirely from my config file and the connection was still successful. Is there something else I need to configure to get the broker to check to make sure the cert is valid? It looks like it is just checking to see if a cert is present at all.

Here is my config:

port 1883

listener 8081
protocol websockets

persistence true
persistence_location /mosquitto/data/
cafile /mosquitto/config/ca_certificate.pem
certfile /mosquitto/config/server_certificate.pem
keyfile /mosquitto/config/server_key.pem
require_certificate true

autosave_interval 30
autosave_on_changes false

tls_version tlsv1.2

I have been using the latest version of the docker container for testing.

Thank you for your time!


This comment has been minimized.

Copy link

commented Oct 25, 2018

And what port is your client connecting to? 8081? or 1883? iirc, security settings are per listener, so you've only secured the websockets listener on 8081


This comment has been minimized.

Copy link

commented Oct 26, 2018

Thank you for getting back to me! Your observation is correct. I am currently testing TLS with websockets only (port 8081).

@ralight ralight closed this in b54e379 Nov 8, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.