SSL with Tortoise lib not working

Packard_Goose · November 27, 2018, 12:42pm

I’m trying to create a secure connection to an MQTT broker using Tortoise however I receive an error {:error, {:options, {:cert, '/Users/packardgoose/Desktop/host.cert'}}} I’m not sure what I’m doing wrong, should the certificate be a .pem file? I should be able to use a directory for this argument according to some documentation I read.

Here’s the code

@cert '/Users/packardgoose/Desktop/host.cert'
@key '/Users/packardgoose/Desktop/host.key'

{:ok, _pid} = Tortoise.Supervisor.start_child(
client_id: "my_id",
handler: {Tortoise.Handler.Logger, []},
server:
  {Tortoise.Transport.SSL,
    [host: 'getahos.io',
     port: 8885,
     cacertfile: :certifi.cacertfile(),
     key: @key,
     cert: @cert
    ]},
keep_alive: 300000,
user_name: Keyword.fetch!(state_tokens, :mqtt_token),
password: Keyword.fetch!(state_tokens, :mqtt_token_pass))

voltone · November 27, 2018, 1:06pm

You can either pass in paths to PEM files using the certfile and keyfile options, or DER encoded binary values using the cert and key options.

Packard_Goose · November 27, 2018, 11:22pm

Thanks, can’t believe I missed that. Also I had to add the verify: :verify_none option for the connection to work. Although my client is working now any idea as to why it won’t work with the default verify value? Would it be an issue on my end or the server end?

voltone · November 28, 2018, 4:36am

I’d have to have a look at the error message you’re getting. But if I had to venture a guess, the server might have a wildcard certificate, which is unfortunately not handled very well by Erlang/OTP.

If that is indeed the case, then you have two options:

If you’re on OTP 21, add customize_hostname_check: [match_fun: :public_key.pkix_verify_hostname_match_fun(:https)] to the SSL options
If you’re on an older version, you could use the ssl_verify_fun package to handle the hostname verification