Re: Self-signed certificates and Net::MQTT::Simple::SSL

You can try reusing the SSL_fingerprint option from IO::Socket::SSL , as the documentation says:

The object oriented interface does support explicit SSL configuration. See IO::Socket::SSL for a comprehensive overview of all the options that can be supplied to the constructor, new.

The option's documentation starts with

Sometimes you have a self-signed certificate or a certificate issued by an unknown CA and you really want to accept it, but don't want to disable verification at all.

which seems to be relevant.

map{substr$_->[0],$_->[1]||0,1}[\*||{},3],[[]],[ref qr-1,-,-1],[{}],[sub{}^*ARGV,3]

Comment on Re: Self-signed certificates and Net::MQTT::Simple::SSL Select or Download Code

Replies are listed 'Best First'.
Re^2: Self-signed certificates and Net::MQTT::Simple::SSL by mldvx4 (Hermit) on Aug 20, 2024 at 16:51 UTC
Thanks! Using `IO::Socket::SSL` I was able to lift the fingerprint from the MQTT broker by adding the following segment. `... use IO::Socket::SSL; ... print IO::Socket::SSL->new( PeerHost => "203.0.113.46:8883", SSL_verify_mode => 0, )->get_fingerprint,"\n"; ...` [download] Then I was able to modify the connection to include that information with `SSL_fingerprint`: `... my $mqtt = Net::MQTT::Simple::SSL->new("203.0.113.46:8883", { SSL_ca_file => "$cpath/certificate-authority.crt", SSL_cert_file => "$cpath/notifications-client.crt", SSL_key_file => "$cpath/notifications-client.key", SSL_fingerprint => 'sha256$a...2',}); ...` [download] All set. It's kind of a manual intervention and implementation of Trust on First Use, since the fingerprint is probably the right one when fetched that way. Alternatively, I can use `OpenSSL` over on the system with the broker and thus get the fingerprint via the file system directly: `openssl x509 -fingerprint -sha256 \ -in /etc/mosquitto/certs/server.crt \ \| sed -n -e '/Fingerprint/ { s/ .*=/$/; s/://g; p; }'` [download] So I guess there are two ways to get the checksum.	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^2: Self-signed certificates and Net::MQTT::Simple::SSL
by mldvx4 (Hermit) on Aug 20, 2024 at 16:51 UTC

Thanks! Using IO::Socket::SSL I was able to lift the fingerprint from the MQTT broker by adding the following segment.

...
use IO::Socket::SSL;
...
print IO::Socket::SSL->new(
   PeerHost => "203.0.113.46:8883",
   SSL_verify_mode => 0,
)->get_fingerprint,"\n";
...
[download]

Then I was able to modify the connection to include that information with SSL_fingerprint:

...
my $mqtt = Net::MQTT::Simple::SSL->new("203.0.113.46:8883", {
   SSL_ca_file   => "$cpath/certificate-authority.crt",
   SSL_cert_file => "$cpath/notifications-client.crt",
   SSL_key_file  => "$cpath/notifications-client.key",
   SSL_fingerprint => 'sha256$a...2',});
...
[download]

All set. It's kind of a manual intervention and implementation of Trust on First Use, since the fingerprint is probably the right one when fetched that way. Alternatively, I can use OpenSSL over on the system with the broker and thus get the fingerprint via the file system directly:

openssl x509 -fingerprint -sha256 \
    -in /etc/mosquitto/certs/server.crt \
| sed -n -e '/Fingerprint/ { s/ .*=/$/; s/://g; p; }'
[download]

So I guess there are two ways to get the checksum.

[reply]
[d/l]
[select]