mqtt: Setting null TLS hostname in mqtt_sec_config doesn't work

[kevinior]

Describe the bug

In the documentation for mqtt_sec_config it says hostname "May be NULL to skip hostname verification".

The code that turns that configuration into a TLS_HOSTNAME socket option just skips setting the option if hostname is NULL. This leaves TLS_HOSTNAME set to its default value, an empty string, and causes certificate validation to fail.

It looks like TLS_HOSTNAME defaulting to an empty string was a decision made when TLS socket options were implemented.

Regression

• This is a regression.

Steps to reproduce

1. Build the net/secure_mqtt_sensor_actuator sample without CONFIG_MBEDTLS_SERVER_NAME_INDICATION
2. Observer that certificate validation fails because the certificate name does not match the hostname

Relevant log output

Impact

Functional Limitation – Some features not working as expected, but system usable.

Environment

• OS: Linux
• SDK: zephyr-sdk-0.16.5
• Zephyr version: both 3.7.1 and current main

Additional Context

No response

[rlubos]

Not verifying the certificate hostname is generally a security concern, even mbed TLS changed its orignal behavior and now enforces hostname verification by default (Mbed-TLS/mbedtls@9a9f0c7).

I'd rather say we should remove the misleading comment from the struct mqtt_sec_config. If the user wants to disable certificate validation, it can consciously do so by setting peer_verify setting to TLS_PEER_VERIFY_NONE.

[kevinior]

I agree, having the comment about being able to disable hostname verification just encourages people to use it.

Do you want me to create a PR with the misleading comment removed?

[rlubos]

I agree, having the comment about being able to disable hostname verification just encourages people to use it.

Do you want me to create a PR with the misleading comment removed?

Would be great if you could do that.