mosquitto-users team mailing list archive

Thread
Date

Re: Best practices for tls_set in Python

To: Roger Light <roger@xxxxxxxxxx>
From: "Jack O'Connor" <oconnor663@xxxxxxxxx>
Date: Fri, 21 Jun 2013 13:12:35 -0700
Cc: "mosquitto-users@xxxxxxxxxxxxxxxxxxx" <mosquitto-users@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAH7zdyfGcEAS6af+hQp88Nq9Xx7Vz+BkDyZ5+nrLYSUa+pu_=A@mail.gmail.com>

What I didn't realize all along is that there's a concatenated certs file
at */etc/ssl/certs/ca-certificates.crt* (at least on Arch and Ubuntu).
That's what I should've been using from the beginning. Thanks for your help.

-- Jack


On Wed, Jun 12, 2013 at 4:01 PM, Roger Light <roger@xxxxxxxxxx> wrote:

> Hi Jack,
>
> Thanks for the reminder that I'd not replied to this.
>
> You can of course use the certificates that come with your OS and as
> Alexander says they are located in /etc/ssl/certs. You can use the
> "capath" option rather than "cafile" to load them.
>
> Bear in mind that there may be no need for you to use an existing CA
> though. If you control your application at both ends, you can create
> your own certificates with your own CA certificate and key.
>
> Either way, it is common practice to use a intermediate CA as
> described in this bug report:
> https://bugs.launchpad.net/mosquitto/+bug/1189444 As you can see,
> support for this is something that needs fixing.
>
> Another approach is to use the TLS-PSK support, which provides
> encryption without the overhead of using certificates.
>
> Cheers,
>
> Roger
>

References

Best practices for tls_set in Python
From: Jack O'Connor, 2013-02-05
Re: Best practices for tls_set in Python
From: Roger Light, 2013-06-12