mosquitto icon indicating copy to clipboard operation
mosquitto copied to clipboard
verified publisher icon eclipse

The --insecure option on the included clients is not working

Open vatine opened this issue 10 months ago • 1 comments

Just a bit of a preface why we want/need the --insecure option, so it's clear why this is necessary. We need to run mosquitto in a Kubernetes container and we have, as a policy, that all containers should have a liveness check. For hat purpose, we're using the "exec" type of liveness check and run mosquitto_sub to connect to "mqtts://127.0.0.1:2283/liveness_probe_subject" (we will not know the IP of the pod when we write the manifest and we do not want to check more than "Mosquitto responds").

The last version we know this worked on was 2.0.14 (it may have worked on later versions, I have not done the bisecting) and from some experimentation, where it seems to break somewhere in the "pre-verification" (the test setup uses a self-signed cert and CA, both expiring in 2027).

I have managed to get this to work in two ways, one is to move the preverify_ok check to after the code pulls the struct mosquitto *mosq out of the SSL context, then instead of returning 0, return mosq->tls_insecure.

The other is to remove the preverify_ok check and return 1 after the check (after all, insecure means "insecure", right?).

I am actually not sure if this has started failing due to a change in OpenSSL, or due to a change in the mosquitto codebase.

vatine avatar Mar 11 '25 08:03 vatine

I've done a check and it seems to work ok for me. I've got openssl 3.0.13 on ubuntu 24.04.

mosquitto.conf (the paths are to the test/ssl directory in the mosquitto source):

listener 8883
allow_anonymous true
certfile ../test/ssl/server.crt
keyfile ../test/ssl/server.key

Check 1, correct hostname for the cert connects successfully:

$ ./mosquitto_pub -p 8883 -t topic -d -m msg --cafile ../test/ssl/all-ca.crt -h localhost
Client null sending CONNECT
Client null received CONNACK (0)
Client null sending PUBLISH (d0, q0, r0, m1, 'topic', ... (3 bytes))
Client null sending DISCONNECT

Check 2, incorrect hostname gets a verification failure:

$ ./mosquitto_pub -p 8883 -t asdf -d -m asdf --cafile ../test/ssl/all-ca.crt -h 127.0.0.1
Client null sending CONNECT
Error: host name verification failed.
OpenSSL Error[0]: error:0A000086:SSL routines::certificate verify failed
Error: Protocol error

Check 3, incorrect hostname and --insecure connects successfully:

$ ./mosquitto_pub -p 8883 -t asdf -d -m asdf --cafile ../test/ssl/all-ca.crt -h 127.0.0.1 --insecure
Client null sending CONNECT
Client null received CONNACK (0)
Client null sending PUBLISH (d0, q0, r0, m1, 'asdf', ... (4 bytes))
Client null sending DISCONNECT

So that all looks as I'd expect.My guess is that something else is up with your certificates, perhaps openssl is now stricter. Perhaps you could use the openssl tool to try and check what's happening? Something like openssl s_client -connect 127.0.0.1:2883 should show all of the errors.

I'm not opposed to changing --insecure to be more insecure, but not in a 2.0.x release.

ralight avatar May 01 '25 14:05 ralight