mosquitto icon indicating copy to clipboard operation
mosquitto copied to clipboard

Published 20 hours ago verified publisher icon eclipse

mosquitto_ctrl claims the connection is not encrypted, does nothing

Open sezanzeb opened this issue 2 years ago • 6 comments

I'm pretty sure our server is properly running with encryption, because mqtt explorer will only connection with activated encryption.

However, we get this when using mosquitto_ctrl to interact with the dynsec plugin:

mosquitto_ctrl -h qux.foo.bar -p 8883 -u *** -P *** dynsec listClients -v
Warning: You are running mosquitto_ctrl without encryption.
This means all of the configuration changes you are making are visible on the network, including passwords

Which stops after 10 seconds of doing nothing without a result.

Locally everything worked and listClients printed our administrator user.

We also know that dynsec is running properly, because the credentials we put into the dynsec config file are the only way to connect in mqtt explorer.

Versions:

uname -r
5.15.32-1-MANJARO
mosquitto_ctrl | ack version
mosquitto_ctrl version 2.0.14 running on libmosquitto 2.0.14.

sezanzeb avatar May 19 '22 16:05 sezanzeb

Downloading any cert via

openssl s_client -showcerts -connect foo:443 </dev/null > bar.cert

and then using it with

mosquitto_ctrl -h qux.foo.bar -p 8883 -u admin -P admin --cafile bar.cert dynsec listClients -v

makes the warning go away. The command doesn't seem to really check if the cert is matching. And it still exits after 10 seconds of doing nothing.

sezanzeb avatar May 19 '22 17:05 sezanzeb

Hmm, unlike the mosquitto_*ub clients, mosquitto_ctrl doesn't automatically change to TLS mode if you use port 8883. I think that's a bug. I've not debugged your second command where it does use encrypted mode, I'll look at that later.

ralight avatar May 20 '22 14:05 ralight

Thanks a lot!

sezanzeb avatar May 20 '22 15:05 sezanzeb

Hey, I am also facing this problem. I tried a bunch of incantations, like mosquitto_ctrl -L mqtts://foo:bar@baz:8883/ but it seems that mosquitto_ctrl cannot connect over TLS, even when not relying on the implicit switch to TLS when using port 8883.

NicolasLM avatar Oct 13 '22 13:10 NicolasLM

Same here. Tried with -L mqtts://... and with spread params -u ... -p ... -P ....

I just get warning Warning: You are running mosquitto_ctrl without encryption. \nThis means all of the configuration changes you are making are visible on the network, including passwords. and then nothing.

Has anyone solved this? Or is the project not maintained any more?

tka85 avatar Feb 11 '24 22:02 tka85

It works, if you connect by socket. But it still warns you about unencrypted traffic...

avandorp avatar Mar 09 '24 15:03 avandorp