Hi Duncan, Thanks for the detailed email. First off, I can say that this should work. The broker and client library tests for SSL use a root->intermediate->server/client chain for signing. I suppose that's a good place to start - if you download the 1.2 tarball and run "make test" in the extracted directory, does it segfault? The test don't use mosquitto_pub/sub themselves so doesn't exactly match your case, but it's a good start.
> Firstly, there is a error in the mosquitto.conf manpage. The c_rehash > only functions if the CA certs are .pem not .crt files. Thanks, I've fixed that. > Error #2 - intermediary CA certificate supplied: > [tester@f19-client ~]$ mosquitto_pub -i mosq_pub_dunc -h > server1.stokesnz.net -p 8883 -t test/msg/2 -m "Splat 14 q2" -d -r -q 2 > --tls-version tlsv1.2 --cafile PositiveSSLCA2.crt > Client mosq_pub_dunc sending CONNECT > OpenSSL Error: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > Error: Protocol error This is also anticipated, you should pass (and should only need to pass) the root CA certificate. The server should provide the other certificates in the chain. > Error #3 - primary CA certificate supplied (or a file with both > intermediary and primary CA certs present): > [tester@f19-client ~]$ mosquitto_pub -i mosq_pub_dunc -h > server1.stokesnz.net -p 8883 -t test/msg/2 -m "Test to 8883 q2 #1" -d -r > -q 2 --tls-version tlsv1.2 --cafile AddTrustExternalCARoot.crt > Client mosq_pub_dunc sending CONNECT > Segmentation fault (core dumped) This is bad, obviously. I'll try and reproduce this myself on Fedora, but it might be a few days because I've got a work deadline on Monday and am working all hours. > Thoughts!? Whilst I'm happy enough to use self-signed SSL certificates > I thought it wise to air this issue as CA certificate chains are > becoming more and more prevalent. Agreed, it should definitely work with chains. It definitely shouldn't segfault, either way! Cheers, Roger -- Mailing list: https://launchpad.net/~mosquitto-users Post to : mosquitto-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~mosquitto-users More help : https://help.launchpad.net/ListHelp
