diff --git a/apps/mosquitto_ctrl/client.c b/apps/mosquitto_ctrl/client.c
index 4464ce16..37db14ff 100644
--- a/apps/mosquitto_ctrl/client.c
+++ b/apps/mosquitto_ctrl/client.c
@@ -127,7 +127,11 @@ int client_request_response(struct mosq_ctrl *ctrl)
int rc;
time_t start;
- if(ctrl->cfg.cafile == NULL && ctrl->cfg.capath == NULL){
+ if(ctrl->cfg.cafile == NULL && ctrl->cfg.capath == NULL && !ctrl->cfg.tls_use_os_certs && ctrl->cfg.port != 8883
+# ifdef FINAL_WITH_TLS_PSK
+ && !ctrl->cfg.psk
+# endif
+ ){
fprintf(stderr, "Warning: You are running mosquitto_ctrl without encryption.\nThis means all of the configuration changes you are making are visible on the network, including passwords.\n\n");
}
diff --git a/apps/mosquitto_ctrl/mosquitto_ctrl.h b/apps/mosquitto_ctrl/mosquitto_ctrl.h
index fce2a78d..e9c74d16 100644
--- a/apps/mosquitto_ctrl/mosquitto_ctrl.h
+++ b/apps/mosquitto_ctrl/mosquitto_ctrl.h
@@ -51,6 +51,7 @@ struct mosq_config {
char *tls_engine;
char *tls_engine_kpass_sha1;
char *keyform;
+ bool tls_use_os_certs;
# ifdef FINAL_WITH_TLS_PSK
char *psk;
char *psk_identity;
diff --git a/apps/mosquitto_ctrl/options.c b/apps/mosquitto_ctrl/options.c
index ff32eafb..d4068733 100644
--- a/apps/mosquitto_ctrl/options.c
+++ b/apps/mosquitto_ctrl/options.c
@@ -247,6 +247,7 @@ static int client_config_line_proc(struct mosq_config *cfg, int *argc, char **ar
} else if(!strncasecmp(url, "mqtts://", 8)) {
url += 8;
cfg->port = 8883;
+ cfg->tls_use_os_certs = true;
} else {
fprintf(stderr, "Error: unsupported URL scheme.\n\n");
return 1;
@@ -388,6 +389,8 @@ static int client_config_line_proc(struct mosq_config *cfg, int *argc, char **ar
}
argv++;
(*argc)--;
+ }else if(!strcmp(argv[0], "--tls-use-os-certs")){
+ cfg->tls_use_os_certs = true;
}else if(!strcmp(argv[0], "--tls-version")){
if((*argc) == 1){
fprintf(stderr, "Error: --tls-version argument given but no version specified.\n\n");
@@ -609,7 +612,21 @@ int client_opts_set(struct mosquitto *mosq, struct mosq_config *cfg)
mosquitto_lib_cleanup();
return 1;
}
- }
+# ifdef FINAL_WITH_TLS_PSK
+ }else if (cfg->psk){
+ if(mosquitto_tls_psk_set(mosq, cfg->psk, cfg->psk_identity, NULL)){
+ fprintf(stderr, "Error: Problem setting TLS-PSK options.\n");
+ mosquitto_lib_cleanup();
+ return 1;
+ }
+# endif
+ }else if(cfg->port == 8883){
+ mosquitto_int_option(mosq, MOSQ_OPT_TLS_USE_OS_CERTS, 1);
+ }
+ if(cfg->tls_use_os_certs){
+ mosquitto_int_option(mosq, MOSQ_OPT_TLS_USE_OS_CERTS, 1);
+ }
+
if(cfg->insecure && mosquitto_tls_insecure_set(mosq, true)){
fprintf(stderr, "Error: Problem setting TLS insecure option.\n");
mosquitto_lib_cleanup();
@@ -630,13 +647,6 @@ int client_opts_set(struct mosquitto *mosq, struct mosq_config *cfg)
mosquitto_lib_cleanup();
return 1;
}
-# ifdef FINAL_WITH_TLS_PSK
- if(cfg->psk && mosquitto_tls_psk_set(mosq, cfg->psk, cfg->psk_identity, NULL)){
- fprintf(stderr, "Error: Problem setting TLS-PSK options.\n");
- mosquitto_lib_cleanup();
- return 1;
- }
-# endif
if((cfg->tls_version || cfg->ciphers) && mosquitto_tls_opts_set(mosq, 1, cfg->tls_version, cfg->ciphers)){
fprintf(stderr, "Error: Problem setting TLS options, check the options are valid.\n");
mosquitto_lib_cleanup();
diff --git a/man/mosquitto_ctrl.1.xml b/man/mosquitto_ctrl.1.xml
index a96d8143..4a7c6024 100644
--- a/man/mosquitto_ctrl.1.xml
+++ b/man/mosquitto_ctrl.1.xml
@@ -65,6 +65,7 @@
hex-key
identity
ciphers
+
version
@@ -441,6 +442,20 @@
See also .
+
+
+
+
+ If used, this will load and trust the OS provided CA
+ certificates. This can be used in conjunction with
+ and
+ and can be used on its own to enable TLS mode. This
+ will be set by default if
+ is used, or if port is 8883 and no other certificate
+ options are used.
+
+
+