0
votes

I am creating a C++ MQTT client which uses mosquitto Libraries and mosquittopp.h :

https://github.com/iosphere/mosquitto/blob/master/lib/cpp/mosquittopp.h .

The MQTT broker i wish to connect to uses TLS 1.2 with only the server / broker certificate for the handshake (client certificate not required).

How would I verify the validity of the server certificate in the code?

I see the following functions relating to TLS in the mosquittopp.h file :

int tls_set(const char *cafile, const char *capath=NULL, const char *certfile=NULL, const char *keyfile=NULL, int (*pw_callback)(char *buf, int size, int rwflag, void *userdata)=NULL);
int tls_opts_set(int cert_reqs, const char *tls_version=NULL, const char *ciphers=NULL);
int tls_insecure_set(bool value);
int tls_psk_set(const char *psk, const char *identity, const char *ciphers=NULL);

tls_set is looking for certificates already on the client it seems, but the certificate will only come from the server / broker? I'm a bit lost with this. Thanks in advance.

1

1 Answers

1
votes

The client needs a copy of the CA (Certificate Authority) certificate that was used to sign the broker sends when the connection is established.

The client does not need a copy of the brokers certificate unless you are using a self signed certificate (because in this case the broker certificate will be the same as the CA certificate).

For any real internet facing broker you should probably be using a public trusted CA and they will supply the CA cert (actually normally CA certificate chain)