From 9d08d2ac3fc304657cd79a39158bb2814585f1f3 Mon Sep 17 00:00:00 2001 From: Bertrand Roussel Date: Wed, 13 Nov 2024 06:15:29 -0800 Subject: [PATCH] Warn capath is not supported for websockets libwebsockets doesn't provide an option to provide a `capath`, ie a directory that contains multiple certificates. ( https://github.com/warmcat/libwebsockets/issues/3276 ) To avoid confusion, explicitly state that it's not supported for websockets in the doc for mosquitto.conf, and add a warning if option is provided while `capath` is not provided. --- man/mosquitto.conf.5.xml | 1 + mosquitto.conf | 1 + src/websockets.c | 7 ++++++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml index 90509fd4..898d48be 100644 --- a/man/mosquitto.conf.5.xml +++ b/man/mosquitto.conf.5.xml @@ -1326,6 +1326,7 @@ log_timestamp_format %Y-%m-%dT%H:%M:%S "openssl rehash <path to capath>" each time you add/remove a certificate. + is not supported for websockets. diff --git a/mosquitto.conf b/mosquitto.conf index 10b0406e..afaad5a2 100644 --- a/mosquitto.conf +++ b/mosquitto.conf @@ -359,6 +359,7 @@ # containing the CA certificates. For capath to work correctly, the # certificate files must have ".crt" as the file ending and you must run # "openssl rehash " each time you add/remove a certificate. +# capath is not supported for websockets. #cafile #capath diff --git a/src/websockets.c b/src/websockets.c index 4d91579a..aa1fccca 100644 --- a/src/websockets.c +++ b/src/websockets.c @@ -698,7 +698,12 @@ void mosq_websockets_init(struct mosquitto__listener *listener, const struct mos info.gid = -1; info.uid = -1; #ifdef WITH_TLS - info.ssl_ca_filepath = listener->cafile; + if(listener->cafile){ + info.ssl_ca_filepath = listener->cafile; + } + else if(listener->capath){ + log__printf(NULL, MOSQ_LOG_WARNING, "Warning: CA path option is not supported for websockets"); + } info.ssl_cert_filepath = listener->certfile; info.ssl_private_key_filepath = listener->keyfile; info.ssl_cipher_list = listener->ciphers;