From 2b123af2c621869fa844d0443cb3853dac059d22 Mon Sep 17 00:00:00 2001
From: Scott Murray <scott.murray@konsulko.com>
Date: Wed, 5 Mar 2025 10:01:23 -0500
Subject: Improve TLS configuration

The existing TLS configuration using the mosquitto API is actually
somewhat broken if a MQTT broker is using a certificate that is not
self-signed.  Rework TLS configuration to not always require a CA
certificate when TLS is enabled, and to set the mosquitto option to
use host OS CA certificates in that case.

Bug-AGL: SPEC-5385

Change-Id: Ia8dd231ab0be68a985763505a55d2798c6d81897
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 src/MqttClient.cpp | 44 +++++++++++++++++++++++++-------------------
 src/ProxyService.h |  6 +++---
 2 files changed, 28 insertions(+), 22 deletions(-)

diff --git a/src/MqttClient.cpp b/src/MqttClient.cpp
index 38c8ec6..d620ff0 100644
--- a/src/MqttClient.cpp
+++ b/src/MqttClient.cpp
@@ -45,25 +45,31 @@ bool MqttClient::start()
 		}
 	}
 
-	if (m_config.useTls() && !m_config.caCertFile().empty()) {
-		std::cout << "Using MQTT TLS server certificate" << std::endl;
-		char *clientCertFile = NULL;
-		char *clientKeyFile = NULL;
-		if (!(m_config.clientCertFile().empty() || m_config.clientKeyFile().empty())) {
-			clientCertFile = strdup(m_config.clientCertFile().c_str());
-			clientKeyFile = strdup(m_config.clientKeyFile().c_str());
-			std::cout << "Using MQTT TLS client certificate" << std::endl;
-		}
-		if (mosquitto_tls_set(m_mosq,
-				      m_config.caCertFile().c_str(),
-				      NULL,
-				      clientCertFile,
-				      clientKeyFile,
-				      NULL) != MOSQ_ERR_SUCCESS) {
-			std::cerr << "Error configuring MQTT TLS support" << std::endl;
-			free(clientCertFile);
-			free(clientKeyFile);
-			return false;
+	if (m_config.useTls()) {
+		std::cout << "Using MQTT TLS" << std::endl;
+		if (!m_config.caCertFile().empty()) {
+			std::cout << "Using MQTT TLS server certificate" << std::endl;
+			char *clientCertFile = NULL;
+			char *clientKeyFile = NULL;
+			if (!(m_config.clientCertFile().empty() || m_config.clientKeyFile().empty())) {
+				clientCertFile = strdup(m_config.clientCertFile().c_str());
+				clientKeyFile = strdup(m_config.clientKeyFile().c_str());
+				std::cout << "Using MQTT TLS client certificate" << std::endl;
+			}
+			if (mosquitto_tls_set(m_mosq,
+					      m_config.caCertFile().c_str(),
+					      NULL,
+					      clientCertFile,
+					      clientKeyFile,
+					      NULL) != MOSQ_ERR_SUCCESS) {
+				std::cerr << "Error configuring MQTT TLS support" << std::endl;
+				free(clientCertFile);
+				free(clientKeyFile);
+				return false;
+			}
+		} else {
+			// Use host's CA certificates
+			mosquitto_int_option(m_mosq, MOSQ_OPT_TLS_USE_OS_CERTS, 1);
 		}
 
 		if (!m_config.verifyServerHostname()) {
diff --git a/src/ProxyService.h b/src/ProxyService.h
index 8e2cf66..312e683 100644
--- a/src/ProxyService.h
+++ b/src/ProxyService.h
@@ -43,11 +43,11 @@ private:
 		const SubscribeRequest *request;
 	};
 
-	GMainLoop *m_loop;
+	GMainLoop *m_loop = NULL;
 	KuksaConfig m_kuksaConfig;
-	KuksaClient *m_kuksaClient;
+	KuksaClient *m_kuksaClient = NULL;
 	MqttConfig m_mqttConfig;
-	MqttClient *m_mqttClient;
+	MqttClient *m_mqttClient = NULL;
 	SignalUpdateHandlers m_signalUpdateHandlers;
 
 	void HandleSignalChange(const std::string &path, const Datapoint &dp);
-- 
cgit