Merge branch 'ctrl-tls' of github.com:ckrey/mosquitto into ckrey-ctrl-tls

2025-05-09 01:01:11 +08:00 · 2025-02-25 19:52:50 +00:00 · 2025-02-25 19:52:50 +00:00 · 52de9182a0
commit 52de9182a0
parent cfe71470f2 b72df4538e
4 changed files with 39 additions and 9 deletions
--- a/apps/mosquitto_ctrl/client.c
+++ b/apps/mosquitto_ctrl/client.c
@ -127,7 +127,11 @@ int client_request_response(struct mosq_ctrl *ctrl)
 	int rc;
 	time_t start;

-	if(ctrl->cfg.cafile == NULL && ctrl->cfg.capath == NULL){
+	if(ctrl->cfg.cafile == NULL && ctrl->cfg.capath == NULL && !ctrl->cfg.tls_use_os_certs && ctrl->cfg.port != 8883 
+#  ifdef FINAL_WITH_TLS_PSK
+		&& !ctrl->cfg.psk
+#  endif
+	){
 		fprintf(stderr, "Warning: You are running mosquitto_ctrl without encryption.\nThis means all of the configuration changes you are making are visible on the network, including passwords.\n\n");
 	}

--- a/apps/mosquitto_ctrl/mosquitto_ctrl.h
+++ b/apps/mosquitto_ctrl/mosquitto_ctrl.h
@ -51,6 +51,7 @@ struct mosq_config {
 	char *tls_engine;
 	char *tls_engine_kpass_sha1;
 	char *keyform;
+	bool tls_use_os_certs;
 #  ifdef FINAL_WITH_TLS_PSK
 	char *psk;
 	char *psk_identity;
--- a/apps/mosquitto_ctrl/options.c
+++ b/apps/mosquitto_ctrl/options.c
@ -247,6 +247,7 @@ static int client_config_line_proc(struct mosq_config *cfg, int *argc, char **ar
 				} else if(!strncasecmp(url, "mqtts://", 8)) {
 					url += 8;
 					cfg->port = 8883;
+					cfg->tls_use_os_certs = true;
 				} else {
 					fprintf(stderr, "Error: unsupported URL scheme.\n\n");
 					return 1;
@ -388,6 +389,8 @@ static int client_config_line_proc(struct mosq_config *cfg, int *argc, char **ar
 			}
 			argv++;
 			(*argc)--;
+                }else if(!strcmp(argv[0], "--tls-use-os-certs")){
+                        cfg->tls_use_os_certs = true;
 		}else if(!strcmp(argv[0], "--tls-version")){
 			if((*argc) == 1){
 				fprintf(stderr, "Error: --tls-version argument given but no version specified.\n\n");
@ -609,7 +612,21 @@ int client_opts_set(struct mosquitto *mosq, struct mosq_config *cfg)
 			mosquitto_lib_cleanup();
 			return 1;
 		}
+#  ifdef FINAL_WITH_TLS_PSK
+	}else if (cfg->psk){
+		if(mosquitto_tls_psk_set(mosq, cfg->psk, cfg->psk_identity, NULL)){
+			fprintf(stderr, "Error: Problem setting TLS-PSK options.\n");
+			mosquitto_lib_cleanup();
+			return 1;
 		}
+#  endif
+        }else if(cfg->port == 8883){
+                mosquitto_int_option(mosq, MOSQ_OPT_TLS_USE_OS_CERTS, 1);
+        }
+        if(cfg->tls_use_os_certs){
+                mosquitto_int_option(mosq, MOSQ_OPT_TLS_USE_OS_CERTS, 1);
+        }
+
 	if(cfg->insecure && mosquitto_tls_insecure_set(mosq, true)){
 		fprintf(stderr, "Error: Problem setting TLS insecure option.\n");
 		mosquitto_lib_cleanup();
@ -630,13 +647,6 @@ int client_opts_set(struct mosquitto *mosq, struct mosq_config *cfg)
 		mosquitto_lib_cleanup();
 		return 1;
 	}
-#  ifdef FINAL_WITH_TLS_PSK
-	if(cfg->psk && mosquitto_tls_psk_set(mosq, cfg->psk, cfg->psk_identity, NULL)){
-		fprintf(stderr, "Error: Problem setting TLS-PSK options.\n");
-		mosquitto_lib_cleanup();
-		return 1;
-	}
-#  endif
 	if((cfg->tls_version || cfg->ciphers) && mosquitto_tls_opts_set(mosq, 1, cfg->tls_version, cfg->ciphers)){
 		fprintf(stderr, "Error: Problem setting TLS options, check the options are valid.\n");
 		mosquitto_lib_cleanup();
--- a/man/mosquitto_ctrl.1.xml
+++ b/man/mosquitto_ctrl.1.xml
@ -65,6 +65,7 @@
 					<arg choice='plain'><option>--psk</option> <replaceable>hex-key</replaceable></arg>
 					<arg choice='plain'><option>--psk-identity</option> <replaceable>identity</replaceable></arg>
 					<arg><option>--ciphers</option> <replaceable>ciphers</replaceable></arg>
+					<arg><option>--tls-use-os-certs</option></arg>
 					<arg><option>--tls-version</option> <replaceable>version</replaceable></arg>
 				</arg>
 			</group>
@ -441,6 +442,20 @@
 					<para>See also <option>--tls-engine</option>.</para>
 				</listitem>
 			</varlistentry>
+			<varlistentry>
+				<term><option>--tls-use-os-certs</option></term>
+				<listitem>
+					<para>
+						If used, this will load and trust the OS provided CA
+						certificates. This can be used in conjunction with
+						<option>--cafile</option> and <option>--capath</option>
+						and can be used on its own to enable TLS mode. This
+						will be set by default if <option>-L mqtts://...</option>
+						is used, or if port is 8883 and no other certificate
+						options are used.
+					</para>
+				</listitem>
+			</varlistentry>
 			<varlistentry>
 				<term><option>--tls-version</option></term>
 				<listitem>