When calling mosquitto_tls_opts_set() multiple time in a row
on the same mosquitto context (Example: trying to reconnect
to mqtt broker), some of the tls options are not free, resulting in a memory leak.
The TLS options (tls_version, tls_ciphers) must be free before being set.
Signed-off-by: Guillaume PELLEGRINO <guillaume.pellegrino@yahoo.com>
Fix reconnecting failing when MOSQ_OPT_TLS_USE_OS_CERTS was in use, but none
of capath, cafile, psk, nor MOSQ_OPT_SSL_CTX were set, and
MOSQ_OPT_SSL_CTX_WITH_DEFAULTS was set to the default value of true.
Closes#2288. Thanks to Poltorak Serguei.
- Add `MOSQ_OPT_TLS_USE_OS_CERTS` option, to instruct the client to load and trust OS provided CA certificates for use with TLS connections.
- All clients now load OS provided CA certificates if used with `-L
mqtts://...`, or if port is set to 8883 and no other CA certificates are
used. Closes#1824.
- Add the `--tls-use-os-certs` option to all clients.
Closes#1824. Thanks to Jens Reimann.
`mosquitto_string_option(mosq, MOSQ_OPT_TLS_KEYFORM, ...)` was incorrectly
returning `MOSQ_ERR_INVAL` with valid input. This has been fixed.
Closes#1360. Thanks to Michael Dombrowski.
In order to connect to brokers that support both websockets and
mqtt on the same port (such as Amazon IoT), we need to set an
application for the SSL context. This change allows the specification
of an application by using the `bridge_alpn` configuration token.
Signed-off-by: John Hickey <jjh-github@daedalian.us>
Some OpenSSL engines (selectable via tls_engine option) may require a
password to make use of private keys created with them in the first place.
The TPM engine for example, will require a password to access the underlying
TPM's Storage Root Key (SRK), which is the root key of a hierarchy of keys
associated with a TPM; it is generated within a TPM and is a non-migratable
key. Each owned TPM contains a SRK, generated by the TPM at the request
of the Owner. [1]
By default, the engine will prompt the user to introduce the SRK password
before any private keys created with the engine can be used. This could
be inconvenient when running on an unattended system.
Here's where the new tls_engine_kpass_sha option comes in handy. The user
can specify a SHA1 hash of its engine private key password via command
line or config file and it will be passed on to the engine directly.
This commit adds support for both clients (libmosquitto) and broker.
[1] https://goo.gl/qQoXBY
Signed-off-by: Nicolás Pernas Maradei <nicopernas@gmail.com>
- Clients can now offload crypto tasks to an external crypto device through
the OpenSSL ENGINE API.
- The keyfiles can now be treated as PEM or ENGINE keys.
- Two new functions were added to libmosquitto to set up the previously
mentioned features.
- Both mosquitto_sub and mosquitto_pub include support to turn on the mentioned
features through command line options.
Signed-off-by: Nicolás Pernas Maradei <nicopernas@gmail.com>