Commits

Roger Light  committed ae81d8a

Parse ssl options for bridges.

  • Participants
  • Parent commits 24d2211
  • Branches 0.16

Comments (0)

Files changed (5)

File man/mosquitto.conf.5.xml

 				</listitem>
 			</varlistentry>
 		</variablelist>
+		<refsect2>
+			<title>SSL Support</title>
+			<para>The following options are available for all listeners to configure SSL support.</para>
+			<variablelist>
+				<varlistentry>
+					<term><option>bridge_cafile</option> <replaceable>file path</replaceable></term>
+					<listitem>
+						<para><option>cafile</option> must be provided to allow SSL
+							support.</para>
+						<para>cafile is used to define the path to a file
+							containing the PEM encoded CA certificates that
+							have signed the certificate for the remote broker.
+						</para>
+					</listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>bridge_certfile</option> <replaceable>file path</replaceable></term>
+					<listitem>
+						<para>Path to the PEM encoded client certificate for
+							this bridge, if required by the remote
+							broker.</para>
+					</listitem>
+				</varlistentry>
+				<varlistentry>
+					<term><option>keyfile</option> <replaceable>file path</replaceable></term>
+					<listitem>
+						<para>Path to the PEM encoded private key for this
+							bridge, if required by the remote broker.</para>
+					</listitem>
+				</varlistentry>
+			</variablelist>
+		</refsect2>
 	</refsect1>
 
 	<refsect1>

File mosquitto.conf

 # username is also set.
 #password
 
+# -----------------------------------------------------------------
+# SSL/TLS support
+# -----------------------------------------------------------------
+# bridge_cafile must be defined to enable SSL support for this bridge.
+# bridge_cafile defines the path to a file containing the Certificate Authority
+# certificates that have signed the remote broker certificate.
+#bridge_cafile
+
+# Path to the PEM encoded client certificate, if required by the remote broker.
+#bridge_certfile
+
+# Path to the PEM encoded client private key, if required by the remote broker.
+#bridge_keyfile
+
+
 # =================================================================
 # External config files
 # =================================================================

File src/bridge.c

 	new_context->username = new_context->bridge->username;
 	new_context->password = new_context->bridge->password;
 
+#ifdef WITH_SSL
+	new_context->ssl_cafile = new_context->bridge->ssl_cafile;
+	new_context->ssl_certfile = new_context->bridge->ssl_certfile;
+	new_context->ssl_keyfile = new_context->bridge->ssl_keyfile;
+#endif
+
 	bridge->try_private_accepted = true;
 
 	return mqtt3_bridge_connect(db, new_context);
 				}else if(!strcmp(token, "bind_address")){
 					if(reload) continue; // Listener not valid for reloading.
 					if(_conf_parse_string(&token, "default listener bind_address", &config->default_listener.host, saveptr)) return MOSQ_ERR_INVAL;
+				}else if(!strcmp(token, "bridge_cafile")){
+#ifdef WITH_BRIDGE
+					if(reload) continue; // FIXME
+					if(!cur_bridge){
+						_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
+						return MOSQ_ERR_INVAL;
+					}
+					token = strtok_r(NULL, " ", &saveptr);
+					if(token){
+						if(cur_bridge->ssl_cafile){
+							_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Duplicate bridge_cafile value in bridge configuration.");
+							return MOSQ_ERR_INVAL;
+						}
+						cur_bridge->ssl_cafile = _mosquitto_strdup(token);
+						if(!cur_bridge->ssl_cafile){
+							_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory");
+							return MOSQ_ERR_NOMEM;
+						}
+					}else{
+						_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Empty bridge_cafile value in configuration.");
+						return MOSQ_ERR_INVAL;
+					}
+#else
+					_mosquitto_log_printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge support not available.");
+#endif
+				}else if(!strcmp(token, "bridge_certfile")){
+#ifdef WITH_BRIDGE
+					if(reload) continue; // FIXME
+					if(!cur_bridge){
+						_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
+						return MOSQ_ERR_INVAL;
+					}
+					token = strtok_r(NULL, " ", &saveptr);
+					if(token){
+						if(cur_bridge->ssl_certfile){
+							_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Duplicate bridge_certfile value in bridge configuration.");
+							return MOSQ_ERR_INVAL;
+						}
+						cur_bridge->ssl_certfile = _mosquitto_strdup(token);
+						if(!cur_bridge->ssl_certfile){
+							_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory");
+							return MOSQ_ERR_NOMEM;
+						}
+					}else{
+						_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Empty bridge_certfile value in configuration.");
+						return MOSQ_ERR_INVAL;
+					}
+#else
+					_mosquitto_log_printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge support not available.");
+#endif
+				}else if(!strcmp(token, "bridge_keyfile")){
+#ifdef WITH_BRIDGE
+					if(reload) continue; // FIXME
+					if(!cur_bridge){
+						_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
+						return MOSQ_ERR_INVAL;
+					}
+					token = strtok_r(NULL, " ", &saveptr);
+					if(token){
+						if(cur_bridge->ssl_keyfile){
+							_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Duplicate bridge_keyfile value in bridge configuration.");
+							return MOSQ_ERR_INVAL;
+						}
+						cur_bridge->ssl_keyfile = _mosquitto_strdup(token);
+						if(!cur_bridge->ssl_keyfile){
+							_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory");
+							return MOSQ_ERR_NOMEM;
+						}
+					}else{
+						_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Empty bridge_keyfile value in configuration.");
+						return MOSQ_ERR_INVAL;
+					}
+#else
+					_mosquitto_log_printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge support not available.");
+#endif
 				}else if(!strcmp(token, "cafile")){
 #ifdef WITH_SSL
 					if(reload) continue; // Listeners not valid for reloading.
 						cur_bridge->idle_timeout = 60;
 						cur_bridge->threshold = 10;
 						cur_bridge->try_private = true;
+						cur_bridge->ssl_cafile = NULL;
+						cur_bridge->ssl_certfile = NULL;
+						cur_bridge->ssl_keyfile = NULL;
 					}else{
 						_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Empty connection value in configuration.");
 						return MOSQ_ERR_INVAL;

File src/mosquitto_broker.h

 	int threshold;
 	bool try_private;
 	bool try_private_accepted;
+#ifdef WITH_SSL
+	char *ssl_cafile;
+	char *ssl_certfile;
+	char *ssl_keyfile;
+#endif
 };
 
 #include <net_mosq.h>