in reply to Re: Self-signed certificates and Net::MQTT::Simple::SSL
in thread Self-signed certificates and Net::MQTT::Simple::SSL

Thanks! Using IO::Socket::SSL I was able to lift the fingerprint from the MQTT broker by adding the following segment. 

...
use IO::Socket::SSL;
...
print IO::Socket::SSL->new(
   PeerHost => "203.0.113.46:8883",
   SSL_verify_mode => 0,
)->get_fingerprint,"\n";
...

[download]

Then I was able to modify the connection to include that information with SSL_fingerprint: 

...
my $mqtt = Net::MQTT::Simple::SSL->new("203.0.113.46:8883", {
   SSL_ca_file   => "$cpath/certificate-authority.crt",
   SSL_cert_file => "$cpath/notifications-client.crt",
   SSL_key_file  => "$cpath/notifications-client.key",
   SSL_fingerprint => 'sha256$a...2',});
...

[download]

All set. It's kind of a manual intervention and implementation of Trust on First Use, since the fingerprint is probably the right one when fetched that way. Alternatively, I can use OpenSSL over on the system with the broker and thus get the fingerprint via the file system directly: 

openssl x509 -fingerprint -sha256 \
    -in /etc/mosquitto/certs/server.crt \
| sed -n -e '/Fingerprint/ { s/ .*=/$/; s/://g; p; }'

[download]

So I guess there are two ways to get the checksum.

In Section Seekers of Perl Wisdom