Bridge connection to tls broker without bridge_capath or bridge_cafile

[UtechtDustin]

I tried to connect a mosquitto broker as bridge to a other mosquitto broker with tls activated. Now i saw this part in the documentation:

One of bridge_cafile or bridge_capath must be provided to allow SSL/TLS support.

So i have the question: Why do i need that ?! Why can't mosquitto check the system certificates (on linux /etc/ssl/certs) if no option is set ? Is this requirement really needed ?

[karlp]

It can use the system ca path, but it doesn't know where your system ca path is.

[UtechtDustin]

The question is, why it doesn't know where the system ca path is ? Each OS have one default path, so it could check path or im wrong ?

[ralight]

This is a point of policy - the end user has to explicitly choose which certificate authorities to trust. This isn't the same situation as a web browser where you need to trust a large quantity of certificate authorities to be able to do anything useful. You are connecting to a single or very few addresses.

I've added an option so you can more easily use the default certs, but you still have to make that decision.