Skip to content
Permalink
Browse files

CommonNameが異なる場合でも、--insecureオプションをつけることでTLS接続できるように変更

# 対象
* mosquitto_sub
* mosquitto_pub

# 詳細
TLS接続の際に、サーバーの証明書署名要求(*.csr 実体はサーバーの公開鍵にCommonName等を付加したもの)のCommonNameとサーバー(ブローカー)の接続名が異なる場合に、
Error: A TLS error occurred.
といって怒られる。

これは至極まっとうな仕様なのだが、デバッグ等でどうしてもCommonNameの設定とブローカーの接続名が異なる場合に困るので、
--insecure
オプションを付けた場合のみ、CommonNameの違いを無視してTLS接続できるように変更した。
  • Loading branch information...
tassi-yuzukko committed Mar 9, 2018
1 parent de5ff28 commit 4fb7c75ecf30a4e9d967dbfb55aa432d14580578
Showing with 96 additions and 3 deletions.
  1. +60 −0 .gitignore
  2. +22 −2 client/sub_client.c
  3. +7 −1 lib/net_mosq.c
  4. +6 −0 lib/tls_mosq.c
  5. +1 −0 lib/tls_mosq.h
@@ -41,3 +41,63 @@ test/lib/cpp/*.test

build/
dist/

*.obj
*.pdb
*.user
*.aps
*.pch
*.vspscc
*_i.c
*_p.c
*.ncb
*.suo
*.sln.docstates
*.tlb
*.tlh
*.bak
*.cache
*.ilk
*.log
[Bb]in
*.sbr
obj/
_ReSharper*/
[Tt]est[Rr]esult*
*.vssscc
$tf*/
*.OLD
*.old
*.TMP
*.sdb
*.sbr
*.DAT
*.htm
*.dep
*\ipch
*.sdf
*.bak
_UpgradeReport_Files\*
*UpgradeLog.XML
*.svn
*_svn
*.opensdf
*.tlog
*.log
*.lastbuildstate
*.unsuccessfulbuild
*.idb
*.res
*.bsc
[Dd]ebug
[Rr]elease*.plg
*.opt
*.manifesttags
*/tags
*.exe
*.dll
*.lib
*.DLL
*.EXE
*.pem
*.map
@@ -225,12 +225,18 @@ int main(int argc, char *argv[])
}else{
fprintf(stderr, "\nUse 'mosquitto_sub --help' to see usage.\n");
}
#ifdef _DEBUG
system("pause");
#endif
return 1;
}

mosquitto_lib_init();

if(client_id_generate(&cfg, "mosqsub")){
#ifdef _DEBUG
system("pause");
#endif
return 1;
}

@@ -245,9 +251,15 @@ int main(int argc, char *argv[])
break;
}
mosquitto_lib_cleanup();
#ifdef _DEBUG
system("pause");
#endif
return 1;
}
if(client_opts_set(mosq, &cfg)){
#ifdef _DEBUG
system("pause");
#endif
return 1;
}
if(cfg.debug){
@@ -258,8 +270,12 @@ int main(int argc, char *argv[])
mosquitto_message_callback_set(mosq, my_message_callback);

rc = client_connect(mosq, &cfg);
if(rc) return rc;

if(rc) {
#ifdef _DEBUG
system("pause");
#endif
return rc;
}

rc = mosquitto_loop_forever(mosq, -1, 1);

@@ -272,6 +288,10 @@ int main(int argc, char *argv[])
if(rc){
fprintf(stderr, "Error: %s\n", mosquitto_strerror(rc));
}
#ifdef _DEBUG
system("pause");
#endif

return rc;
}

@@ -570,7 +570,13 @@ int _mosquitto_socket_connect_step3(struct mosquitto *mosq, const char *host, ui
if(mosq->tls_cert_reqs == 0){
SSL_CTX_set_verify(mosq->ssl_ctx, SSL_VERIFY_NONE, NULL);
}else{
SSL_CTX_set_verify(mosq->ssl_ctx, SSL_VERIFY_PEER, _mosquitto_server_certificate_verify);
if(mosq->tls_insecure){
// Always authenticate even if the Common Name is incorrect.
SSL_CTX_set_verify(mosq->ssl_ctx, SSL_VERIFY_PEER, _mosquitto_server_certificate_ignore);
}
else{
SSL_CTX_set_verify(mosq->ssl_ctx, SSL_VERIFY_PEER, _mosquitto_server_certificate_verify);
}
}

if(mosq->tls_pw_callback){
@@ -163,5 +163,11 @@ int _mosquitto_verify_certificate_hostname(X509 *cert, const char *hostname)
return 0;
}

int _mosquitto_server_certificate_ignore(int preverify_ok, X509_STORE_CTX *ctx)
{
// Always authenticate
return 1;
}

#endif

@@ -36,6 +36,7 @@ and the Eclipse Distribution License is available at

int _mosquitto_server_certificate_verify(int preverify_ok, X509_STORE_CTX *ctx);
int _mosquitto_verify_certificate_hostname(X509 *cert, const char *hostname);
int _mosquitto_server_certificate_ignore(int preverify_ok, X509_STORE_CTX *ctx);

#endif /* WITH_TLS */

0 comments on commit 4fb7c75

Please sign in to comment.
You can’t perform that action at this time.