eclipse/mosquitto
1
0
Fork 0
mirror of https://github.com/eclipse/mosquitto.git synced 2025-05-09 01:01:11 +08:00
Code Issues Releases Wiki Activity

mosquitto_ctrl changes automatically to TLS mode if you use port 8883 like mosquitto_* clients #2541

Browse Source 
Signed-off-by: Christoph Krey <c@ckrey.de>
This commit is contained in:
Christoph Krey 2024-11-05 10:38:24 +01:00
parent ba2b98d4ab
commit d8133888f4
4 changed files with 35 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apps/mosquitto_ctrl/client.c
View File

@ -127,7 +127,7 @@ int client_request_response(struct mosq_ctrl *ctrl)
int rc; int rc;
time_t start; time_t start;
if(ctrl->cfg.cafile == NULL && ctrl->cfg.capath == NULL){ if(ctrl->cfg.cafile == NULL && ctrl->cfg.capath == NULL && !ctrl->cfg.tls_use_os_certs && ctrl->cfg.port != 8883 && !ctrl->cfg.psk){
fprintf(stderr, "Warning: You are running mosquitto_ctrl without encryption.\nThis means all of the configuration changes you are making are visible on the network, including passwords.\n\n"); fprintf(stderr, "Warning: You are running mosquitto_ctrl without encryption.\nThis means all of the configuration changes you are making are visible on the network, including passwords.\n\n");
} }

1
apps/mosquitto_ctrl/mosquitto_ctrl.h
View File

@ -51,6 +51,7 @@ struct mosq_config {
char *tls_engine; char *tls_engine;
char *tls_engine_kpass_sha1; char *tls_engine_kpass_sha1;
char *keyform; char *keyform;
bool tls_use_os_certs;
# ifdef FINAL_WITH_TLS_PSK # ifdef FINAL_WITH_TLS_PSK
char *psk; char *psk;
char *psk_identity; char *psk_identity;

26
apps/mosquitto_ctrl/options.c
View File

@ -247,6 +247,7 @@ static int client_config_line_proc(struct mosq_config *cfg, int *argc, char **ar
} else if(!strncasecmp(url, "mqtts://", 8)) { } else if(!strncasecmp(url, "mqtts://", 8)) {
url += 8; url += 8;
cfg->port = 8883; cfg->port = 8883;
cfg->tls_use_os_certs = true;
} else { } else {
fprintf(stderr, "Error: unsupported URL scheme.\n\n"); fprintf(stderr, "Error: unsupported URL scheme.\n\n");
return 1; return 1;
@ -388,6 +389,8 @@ static int client_config_line_proc(struct mosq_config *cfg, int *argc, char **ar
} }
argv++; argv++;
(*argc)--; (*argc)--;
}else if(!strcmp(argv[0], "--tls-use-os-certs")){
cfg->tls_use_os_certs = true;
}else if(!strcmp(argv[0], "--tls-version")){ }else if(!strcmp(argv[0], "--tls-version")){
if((*argc) == 1){ if((*argc) == 1){
fprintf(stderr, "Error: --tls-version argument given but no version specified.\n\n"); fprintf(stderr, "Error: --tls-version argument given but no version specified.\n\n");
@ -609,7 +612,21 @@ int client_opts_set(struct mosquitto *mosq, struct mosq_config *cfg)
mosquitto_lib_cleanup(); mosquitto_lib_cleanup();
return 1; return 1;
} }
} # ifdef FINAL_WITH_TLS_PSK
}else if (cfg->psk){
if(mosquitto_tls_psk_set(mosq, cfg->psk, cfg->psk_identity, NULL)){
fprintf(stderr, "Error: Problem setting TLS-PSK options.\n");
mosquitto_lib_cleanup();
return 1;
}
# endif
}else if(cfg->port == 8883){
mosquitto_int_option(mosq, MOSQ_OPT_TLS_USE_OS_CERTS, 1);
}
if(cfg->tls_use_os_certs){
mosquitto_int_option(mosq, MOSQ_OPT_TLS_USE_OS_CERTS, 1);
}
if(cfg->insecure && mosquitto_tls_insecure_set(mosq, true)){ if(cfg->insecure && mosquitto_tls_insecure_set(mosq, true)){
fprintf(stderr, "Error: Problem setting TLS insecure option.\n"); fprintf(stderr, "Error: Problem setting TLS insecure option.\n");
mosquitto_lib_cleanup(); mosquitto_lib_cleanup();
@ -630,13 +647,6 @@ int client_opts_set(struct mosquitto *mosq, struct mosq_config *cfg)
mosquitto_lib_cleanup(); mosquitto_lib_cleanup();
return 1; return 1;
} }
# ifdef FINAL_WITH_TLS_PSK
if(cfg->psk && mosquitto_tls_psk_set(mosq, cfg->psk, cfg->psk_identity, NULL)){
fprintf(stderr, "Error: Problem setting TLS-PSK options.\n");
mosquitto_lib_cleanup();
return 1;
}
# endif
if((cfg->tls_version || cfg->ciphers) && mosquitto_tls_opts_set(mosq, 1, cfg->tls_version, cfg->ciphers)){ if((cfg->tls_version || cfg->ciphers) && mosquitto_tls_opts_set(mosq, 1, cfg->tls_version, cfg->ciphers)){
fprintf(stderr, "Error: Problem setting TLS options, check the options are valid.\n"); fprintf(stderr, "Error: Problem setting TLS options, check the options are valid.\n");
mosquitto_lib_cleanup(); mosquitto_lib_cleanup();

15
man/mosquitto_ctrl.1.xml
View File

@ -65,6 +65,7 @@
<arg choice='plain'><option>--psk</option> <replaceable>hex-key</replaceable></arg> <arg choice='plain'><option>--psk</option> <replaceable>hex-key</replaceable></arg>
<arg choice='plain'><option>--psk-identity</option> <replaceable>identity</replaceable></arg> <arg choice='plain'><option>--psk-identity</option> <replaceable>identity</replaceable></arg>
<arg><option>--ciphers</option> <replaceable>ciphers</replaceable></arg> <arg><option>--ciphers</option> <replaceable>ciphers</replaceable></arg>
<arg><option>--tls-use-os-certs</option></arg>
<arg><option>--tls-version</option> <replaceable>version</replaceable></arg> <arg><option>--tls-version</option> <replaceable>version</replaceable></arg>
</arg> </arg>
</group> </group>
@ -441,6 +442,20 @@
<para>See also <option>--tls-engine</option>.</para> <para>See also <option>--tls-engine</option>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><option>--tls-use-os-certs</option></term>
<listitem>
<para>
If used, this will load and trust the OS provided CA
certificates. This can be used in conjunction with
<option>--cafile</option> and <option>--capath</option>
and can be used on its own to enable TLS mode. This
will be set by default if <option>-L mqtts://...</option>
is used, or if port is 8883 and no other certificate
options are used.
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><option>--tls-version</option></term> <term><option>--tls-version</option></term>
<listitem> <listitem>