Is enable_server_cert_auth same as insecure?

krishnatorque · June 13, 2024, 9:35am

Is enable_server_cert_auth same as --insecure?

let ssl_opt: SslOptions = SslOptionsBuilder::new()
        .ca_path("ca.crt")
        .map_err(|e| error!("Mqtt ssl fail: {}", e))
        .unwrap()
        .enable_server_cert_auth(false) <-- here
        .finalize();

Is this equivalent to mosquitto_sub --insecure --cafile ca.crt -h mqtt.example.com -p 8883?

Thanks

bjorn3 · June 13, 2024, 9:53am

--insecure disables checking if the hostname in the certificate matches. Based on the man page, it seems like it still checks if a valid certificate trusted by the given CA is used.

I don't know from which crate SslOptions originates, but the name enable_server_cert_auth seems to suggest it also disables verifying that the certificate is trusted by the given CA.

krishnatorque · June 13, 2024, 10:17am

@bjorn3 Thanks

I created self signed certificate by openssl but I put the host name there.
However it is still not connecting when its enable_server_cert_auth(true), but when its false everything is fine & working.

kornel · June 13, 2024, 12:24pm

Please check the host with

to find what's wrong with the certificate it uses, and fix the HTTPS connection, instead of disabling security entirely.

Disabling anything about the verification is always insecure, and allows MITM attacks.

There's no difference between allowing wrong hostname from a correct CA or allowing any invalid certificate. Valid CA-signed domain certificates can be obtained automatically for free by anybody, so the hostname check is the crucial thing required for security.

krishnatorque · June 13, 2024, 1:41pm

@kornel Thanks

That is absolutely correct.

Confusion is this command working.

mosquitto_sub -h mqtt.example.com -p 8883 -u user -P pass -t '#' --cafile ca.crt -d

While mqtt paho for rust not working.

let ssl_opt: SslOptions = SslOptionsBuilder::new()
        .ca_path("/path/to/ca.crt")
        .map_err(|e| error!("Mqtt ca.crt error: {}", e))
        .unwrap()
        .finalize()

Error
[-1] TCP/TLS connect failure

kornel · June 13, 2024, 2:46pm

The docs say ca_path is a directory and it looks for .pem files there.

krishnatorque · June 13, 2024, 2:56pm

@kornel Thanks a lot.

Changing from ca_path to trust_store resolved the issue.

system · September 11, 2024, 2:57pm

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.

Topic		Replies	Views
TLS sockets without certificate validation help	5	5402	January 12, 2023
Rustls UnknownIssuer with own CA help	8	4696	May 3, 2023
TlsConnector with Client Cert and CA not working. (CA Issue) help	9	1182	August 17, 2021
Qpackt: Web server designed to make life easier code review	7	268	May 25, 2024
Using rustup behind a corporate firewall help	12	3790	December 10, 2020

Is enable_server_cert_auth same as insecure?

Related topics