Fix --insecure and bridge_insecure

Closes #3449. Thanks to Christoph Krey
2026-02-22 21:43:07 +01:00 · 2026-01-19 11:45:55 +00:00 · 2026-01-19 11:45:55 +00:00 · 79a13f6e10
commit 79a13f6e10
parent fd9ba300ba
6 changed files with 154 additions and 61 deletions
--- a/client/pub_client.c
+++ b/client/pub_client.c
@ -370,7 +370,7 @@ static int pub_other_loop(struct mosquitto *mosq)
 				err_printf(&cfg, "Error sending repeat publish: %s", mosquitto_strerror(rc));
 			}
 		}
-	}while(rc == MOSQ_ERR_SUCCESS);
+	}while(rc == MOSQ_ERR_SUCCESS && disconnect_sent == false);

 	if(status == STATUS_DISCONNECTED){
 		return MOSQ_ERR_SUCCESS;
--- a/lib/tls_mosq.c
+++ b/lib/tls_mosq.c
@ -58,7 +58,9 @@ int tls__set_verify_hostname(struct mosquitto *mosq, const char *hostname)
 	int ipv4_ok;
 	int rc;

-	if(mosq->tls_cafile == NULL && mosq->tls_capath == NULL && mosq->tls_use_os_certs == false){
+	if(mosq->tls_insecure == true
+			|| (mosq->tls_cafile == NULL && mosq->tls_capath == NULL && mosq->tls_use_os_certs == false)){
+
 		return MOSQ_ERR_SUCCESS;
 	}
 #ifndef WITH_BROKER
--- a/test/broker/08-ssl-bridge.py
+++ b/test/broker/08-ssl-bridge.py
@ -5,13 +5,13 @@ from mosq_test_helper import *
 source_dir = Path(__file__).resolve().parent
 ssl_dir = source_dir.parent / "ssl"

-def write_config(filename, port1, port2):
+def write_config(filename, address, port1, port2):
    with open(filename, 'w') as f:
-        f.write("listener %d\n" % (port2))
+        f.write(f"listener {port2}\n")
        f.write("allow_anonymous true\n")
        f.write("\n")
        f.write("connection bridge_test\n")
-        f.write("address 127.0.0.1:%d\n" % (port1))
+        f.write(f"address {address}:{port1}\n")
        f.write("topic bridge/# both 0\n")
        f.write("notifications false\n")
        f.write("restart_timeout 2\n")
@ -19,9 +19,10 @@ def write_config(filename, port1, port2):
        f.write(f"bridge_cafile {ssl_dir}/all-ca.crt\n")
        f.write("bridge_insecure true\n")

+def do_test(address):
    (port1, port2) = mosq_test.get_port(2)
    conf_file = os.path.basename(__file__).replace('.py', '.conf')
-write_config(conf_file, port1, port2)
+    write_config(conf_file, address, port1, port2)

    rc = 1
    client_id = socket.gethostname()+".bridge_test"
@ -81,8 +82,10 @@ finally:
            print("broker not terminated")
            if rc == 0: rc=1
        (stdo, stde) = broker.communicate()
+        ssock.close()
        if rc:
            print(stde.decode('utf-8'))
-    ssock.close()
-
            exit(rc)
+
+do_test("127.0.0.1")
+do_test("127.0.0.2") # tests non-matching certificate hostname with bridge_insecure
--- a/test/client/03-publish-tls.py
+++ b/test/client/03-publish-tls.py
@ -0,0 +1,86 @@
+#!/usr/bin/env python3
+
+#
+
+from mosq_test_helper import *
+
+source_dir = Path(__file__).resolve().parent
+ssl_dir = source_dir.parent / "ssl"
+
+def do_test(address, insecure_option, expect_ssl_fail):
+    rc = 1
+
+    port = mosq_test.get_port()
+    port = 8883
+
+    env = {
+        'XDG_CONFIG_HOME':'/tmp/missing',
+        'SSLKEYLOGFILE':'/home/roger/keylog'
+    }
+    env = mosq_test.env_add_ld_library_path(env)
+    cmd = [f'{mosq_test.get_build_root()}/client/mosquitto_pub',
+            '--cafile', f"{ssl_dir}/all-ca.crt",
+            '-d',
+            '-h', address,
+            '-p', str(port),
+            '-t', '03/pub/tls/test',
+            '-m', 'message',
+            ]
+    if insecure_option is not None:
+        cmd.append(insecure_option)
+
+    connect_packet = mosq_test.gen_connect("", clean_session=True)
+    connack_packet = mosq_test.gen_connack(rc=0)
+    publish_packet = mosq_test.gen_publish("03/pub/tls/test", qos=0, payload="message")
+
+    broker = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    broker.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile=f"{ssl_dir}/all-ca.crt")
+    context.minimum_version = ssl.TLSVersion.TLSv1_2
+    context.load_cert_chain(certfile=f"{ssl_dir}/server-san.crt", keyfile=f"{ssl_dir}/server-san.key")
+    sbroker = context.wrap_socket(broker, server_side=True)
+    sbroker.settimeout(20)
+    sbroker.bind(('', port))
+    sbroker.listen(5)
+
+    try:
+        pub = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, env=env)
+
+        (pub_sock, address) = sbroker.accept()
+        pub_sock.settimeout(5)
+
+        mosq_test.expect_packet(pub_sock, "connect", connect_packet)
+        pub_sock.send(connack_packet)
+        mosq_test.expect_packet(pub_sock, "publish", publish_packet)
+
+        if expect_ssl_fail:
+            raise mosq_test.TestError
+
+        pub_terminate_rc = 0
+        if mosq_test.wait_for_subprocess(pub):
+            print("pub not terminated")
+            pub_terminate_rc = 1
+        (stdo, stde) = pub.communicate()
+
+        rc = pub_terminate_rc
+        pub_sock.close()
+    except mosq_test.TestError:
+        pass
+    except ssl.SSLError as e:
+        if expect_ssl_fail and e.reason == "SSLV3_ALERT_BAD_CERTIFICATE":
+            rc = 0
+            pass
+        else:
+            raise mosq_test.TestError
+    except Exception as e:
+        print(e)
+    finally:
+        broker.close()
+        if rc:
+            print(stde.decode('utf-8'))
+            exit(rc)
+
+
+do_test("127.0.0.1", None, False)
+do_test("127.0.0.2", None, True)
+do_test("127.0.0.2", "--insecure", False)
--- a/test/client/Makefile
+++ b/test/client/Makefile
@ -62,6 +62,7 @@ endif
 	./03-publish-socks-no-auth.py
 	./03-publish-stdin-file.py
 	./03-publish-stdin-line.py
+	./03-publish-tls.py
 	./03-publish-url.py

 04 :
--- a/test/client/test.py
+++ b/test/client/test.py
@ -36,6 +36,7 @@ tests = [
    (2, './03-publish-qos1-ws-large.py'),
    (1, './03-publish-repeat.py'),
    (1, './03-publish-url.py'),
+    (1, './03-publish-tls.py'),

    (2, './03-publish-socks.py'),
    (2, './03-publish-socks-auth-failed.py'),