mosquitto_ctrl changes automatically to TLS mode if you use port 8883…

… like mosquitto_* clients #2541 Signed-off-by: Christoph Krey <c@ckrey.de>
eclipse-mosquitto · Nov 5, 2024 · d813388 · d813388
1 parent ba2b98d
commit d813388
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 9 deletions.
diff --git a/apps/mosquitto_ctrl/client.c b/apps/mosquitto_ctrl/client.c
@@ -127,7 +127,7 @@ int client_request_response(struct mosq_ctrl *ctrl)
 	int rc;
 	time_t start;
 
-	if(ctrl->cfg.cafile == NULL && ctrl->cfg.capath == NULL){
+	if(ctrl->cfg.cafile == NULL && ctrl->cfg.capath == NULL && !ctrl->cfg.tls_use_os_certs && ctrl->cfg.port != 8883 && !ctrl->cfg.psk){
 		fprintf(stderr, "Warning: You are running mosquitto_ctrl without encryption.\nThis means all of the configuration changes you are making are visible on the network, including passwords.\n\n");
 	}
 

diff --git a/apps/mosquitto_ctrl/mosquitto_ctrl.h b/apps/mosquitto_ctrl/mosquitto_ctrl.h
@@ -51,6 +51,7 @@ struct mosq_config {
 	char *tls_engine;
 	char *tls_engine_kpass_sha1;
 	char *keyform;
+	bool tls_use_os_certs;
 #  ifdef FINAL_WITH_TLS_PSK
 	char *psk;
 	char *psk_identity;

diff --git a/apps/mosquitto_ctrl/options.c b/apps/mosquitto_ctrl/options.c
@@ -247,6 +247,7 @@ static int client_config_line_proc(struct mosq_config *cfg, int *argc, char **ar
 				} else if(!strncasecmp(url, "mqtts://", 8)) {
 					url += 8;
 					cfg->port = 8883;
+					cfg->tls_use_os_certs = true;
 				} else {
 					fprintf(stderr, "Error: unsupported URL scheme.\n\n");
 					return 1;
@@ -388,6 +389,8 @@ static int client_config_line_proc(struct mosq_config *cfg, int *argc, char **ar
 			}
 			argv++;
 			(*argc)--;
+                }else if(!strcmp(argv[0], "--tls-use-os-certs")){
+                        cfg->tls_use_os_certs = true;
 		}else if(!strcmp(argv[0], "--tls-version")){
 			if((*argc) == 1){
 				fprintf(stderr, "Error: --tls-version argument given but no version specified.\n\n");
@@ -609,7 +612,21 @@ int client_opts_set(struct mosquitto *mosq, struct mosq_config *cfg)
 			mosquitto_lib_cleanup();
 			return 1;
 		}
-	}
+#  ifdef FINAL_WITH_TLS_PSK
+	}else if (cfg->psk){
+		if(mosquitto_tls_psk_set(mosq, cfg->psk, cfg->psk_identity, NULL)){
+			fprintf(stderr, "Error: Problem setting TLS-PSK options.\n");
+			mosquitto_lib_cleanup();
+			return 1;
+		}
+#  endif
+        }else if(cfg->port == 8883){
+                mosquitto_int_option(mosq, MOSQ_OPT_TLS_USE_OS_CERTS, 1);
+        }
+        if(cfg->tls_use_os_certs){
+                mosquitto_int_option(mosq, MOSQ_OPT_TLS_USE_OS_CERTS, 1);
+        }
+
 	if(cfg->insecure && mosquitto_tls_insecure_set(mosq, true)){
 		fprintf(stderr, "Error: Problem setting TLS insecure option.\n");
 		mosquitto_lib_cleanup();
@@ -630,13 +647,6 @@ int client_opts_set(struct mosquitto *mosq, struct mosq_config *cfg)
 		mosquitto_lib_cleanup();
 		return 1;
 	}
-#  ifdef FINAL_WITH_TLS_PSK
-	if(cfg->psk && mosquitto_tls_psk_set(mosq, cfg->psk, cfg->psk_identity, NULL)){
-		fprintf(stderr, "Error: Problem setting TLS-PSK options.\n");
-		mosquitto_lib_cleanup();
-		return 1;
-	}
-#  endif
 	if((cfg->tls_version || cfg->ciphers) && mosquitto_tls_opts_set(mosq, 1, cfg->tls_version, cfg->ciphers)){
 		fprintf(stderr, "Error: Problem setting TLS options, check the options are valid.\n");
 		mosquitto_lib_cleanup();

diff --git a/man/mosquitto_ctrl.1.xml b/man/mosquitto_ctrl.1.xml
@@ -65,6 +65,7 @@
 					<arg choice='plain'><option>--psk</option> <replaceable>hex-key</replaceable></arg>
 					<arg choice='plain'><option>--psk-identity</option> <replaceable>identity</replaceable></arg>
 					<arg><option>--ciphers</option> <replaceable>ciphers</replaceable></arg>
+                                        <arg><option>--tls-use-os-certs</option></arg>
 					<arg><option>--tls-version</option> <replaceable>version</replaceable></arg>
 				</arg>
 			</group>
@@ -441,6 +442,20 @@
 					<para>See also <option>--tls-engine</option>.</para>
 				</listitem>
 			</varlistentry>
+                        <varlistentry>
+                                <term><option>--tls-use-os-certs</option></term>
+                                <listitem>
+                    <para>
+                        If used, this will load and trust the OS provided CA
+                        certificates. This can be used in conjunction with
+                        <option>--cafile</option> and <option>--capath</option>
+                        and can be used on its own to enable TLS mode. This
+                                                will be set by default if <option>-L mqtts://...</option>
+                        is used, or if port is 8883 and no other certificate
+                        options are used.
+                                        </para>
+                                </listitem>
+                        </varlistentry>
 			<varlistentry>
 				<term><option>--tls-version</option></term>
 				<listitem>