hono icon indicating copy to clipboard operation
hono copied to clipboard

Published 20 hours ago verified publisher icon eclipse-hono

TlsEnable = false is not enough to disable TLS

Open BobClaerhout opened this issue 4 years ago • 5 comments

Since https://github.com/eclipse/packages/commit/3f6f58873d18c71c35844a0c3167da17710b2745 you have one additional config to make to disable TLS. Setting tlsEnabled to false in the AmqpMessagingNetworkSpec is not enough, you have to set to clear trustStorepath as well:

    amqpMessagingNetworkSpec:
      host: host
      port: 5672
      keyPath: /etc/hono/key.pem
      certPath: /etc/hono/cert.pem
      trustStorePath: 
      username: username
      password: password
      tlsEnabled: false

Otherwise, this line of code enables the tls again: https://github.com/eclipse/hono/blob/1bc3764acfeb667e9f41087660ea0b84741c53b4/core/src/main/java/org/eclipse/hono/config/AuthenticatingClientConfigProperties.java#L275 I think this is very counter intuitive. The tlsEnabled flag is not documented at all and neither is the fact that this is silently enabled again because of the trustStorePath still being configure while you might not have that line there but just exists because it default to that value.

BobClaerhout avatar Mar 12 '21 17:03 BobClaerhout

I see your point. However, I wonder what the purpose of the configuration from your example should be. FMPOV it doesn't make sense to configure (client) key material for the connection to the messaging network if you are not planning to use TLS, does it?

sophokles73 avatar Mar 15 '21 08:03 sophokles73

No, you're right. I might still have too much configuration in there. But the other configuration parts do not result in silently enabling the TLS again. So that's less of an issue. Because of the mentioned change, the trustStorePath has to be cleared which is not something you do when you just want to set the tlsEnabled flag to false

BobClaerhout avatar Mar 15 '21 08:03 BobClaerhout

Ok, so you want to use the flag to (temporarily) disable TLS, right?

BTW The tlsEnabled configuration variable is described here.

sophokles73 avatar Mar 15 '21 08:03 sophokles73

Yes, I think there is a difference between tlsEnabled not being set (and a truststore is configured) and tlsEnabled explicitly configured to false. Currently, both options result in the same outcome.

BobClaerhout avatar Mar 15 '21 09:03 BobClaerhout

This might already be fixed by defaulting to true and removing the check on trustStorePath?

BobClaerhout avatar Mar 15 '21 10:03 BobClaerhout