Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Troubles using set_tls_insecure(True) #148

Closed
durera opened this issue Feb 2, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@durera
Copy link

commented Feb 2, 2017

code snippet:

self.client = paho.Client(self.clientId, clean_session=False)
<snip>
try:
  <snip>
  self.logger.info("Setting TLS INSECURE")
  self.client.tls_insecure_set(True)
  self.client.connect(self.address, port=self.port, keepalive=self.keepAlive)
  self.client.loop_start()
  <snip>
except socket.error as serr:
    self.client.loop_stop()
    self.logAndRaiseException(ConnectionException("<yadda yadda yadda> - %s" % (str(serr))))

result:

INFO     Setting TLS INSECURE
CRITICAL <yadda yadda yadda> - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

Trying to get this working in a development environment where we know the certificates aren't going to match up and understand the risk associated with disabling verify (e.g. in requests library we are setting verify=False). Yet can't seem to get the mqtt library to do similar as get the above socket error on connect, is there some other setting I need to also use?

Have tried with both paho-mqtt 1.1 and 1.2, hitting the same issue (on python 2.7.13).

@PierreF

This comment has been minimized.

Copy link
Contributor

commented Feb 2, 2017

Hi,

your code snippet is incomplete, it does not show the tls_set() option that is the important part in your problem. I assume that you use something like tls_set(ca_certs="/etc/ssl/certs/ca-certificate").
The error is that the certificate could not be validated using the given CA on tls_set(). This verification occur because you called tls_set() with cert_reqs=ssl.CERT_REQUIRED (or keeps the default value for it).
tls_set_insecure(True) will only disable the verification that the hostname of the connection (self.address) match the certificate CN.

To fix your issue, you have 2 possibilities:

  • either you can provide the CA (or the self-signed certificate) to the client, and use it in tls_set(ca_certs).
  • or you can disable all certificate checks with cert_reqs=ssl.CERT_NONE in tls_set()
@durera

This comment has been minimized.

Copy link
Author

commented Feb 2, 2017

I'm an idiot, so obvious. Thank you @PierreF ... I'm blaming a long day and an even longer week ;)

@PierreF PierreF closed this Feb 24, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.