Unable to connect to Mosquitto Broker when require_certificate is false

My understanding is if I have require_certificate false in my configuration then Mosquitto Broker will allow a client to connect even if it does not provide any certificate and key; to be more specific for the Python client even if I'm not calling

mq.tls_set(mqttCafile,  mqttCertfile, mqttKeyfile)

before calling

mq.connect(mqttBrokerURL, mqttBrokerPort, keepAliveTime)

But we are unable to connect with the broker without calling tls_set() function.

mosquitto.conf content:

port 8883

cafile ssl/all-ca.crt
certfile ssl/server.crt
keyfile ssl/server.key
require_certificate false

tls_version tlsv1

password_file /etc/mosquitto/passwd
allow_anonymous false

Sever Side Error:

1382529992: Config loaded from mosquitto.conf.
1382529992: Opening ipv4 listen socket on port 8883.
1382529992: Opening ipv6 listen socket on port 8883.
1382530058: New connection from 127.0.0.1 on port 8883.
1382530058: OpenSSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
1382530058: Socket read error on client (null), disconnecting.

Client Side Error:

[Errno 104] Connection reset by peer
Done: 7

It connects successfully when we pass certificates. My requirement is Broker should allow a connection for both the cases. Can this be achievable using require_certificate? If yes, could you please help me to figure out if I'm doing anything wrong here ?

I have tried with Mosquitto version 1.2, 1.2.1 & 1.2.2.


Solution 1:

You need to call tls_set() to enable TLS mode. If you don't do this, the client will attempt to connect without using TLS. You can call tls_set() without setting a client side certificate or key by setting those parameters to NULL in C or None in Python, but the CA certificate is always required, unless you are using TLS-PSK. In Python, the default if not specified is for the certificate and key file to be passed as None, so you can use for example:

mq.tls_set(mqttCafile)

If require_certificate is true, you need to pass a valid client certificate and key alongside your CA certificate otherwise the broker will reject your connection.

It isn't possible to have a single listener deal with clients that want to connect both with and without TLS, but you can create multiple listeners so one is listening on port 1883 without TLS and one on 8883 with TLS, for example.