support for CA_PATH and TLS client certificates

closes #184 closes #159
2026-05-09 02:56:38 +00:00 · 2017-03-13 17:33:20 +01:00
parent f9bc9979d9
commit 5a5e4f0708
3 changed files with 33 additions and 3 deletions
--- a/README.md
+++ b/README.md
@@ -280,6 +280,9 @@ The following configuration settings may be applied (a `Y` in column `$` means a
 | `OTR_BROWSERAPIKEY`   |  Y    |               | Google maps browser API key
 | `OTR_TOPICS`          |       |               | String containing a space-separated list of topics to subscribe to for MQTT (overridden by command-line arguments)
 | `OTR_CAFILE`          |  Y    |               | Path to PEM-encoded CA certificate file for MQTT (implicitly enables TLS)
+| `OTR_CAPATH`          |       |               | Directory of c_rehashed PEM certificates
+| `OTR_CERTFILE`        |       |               | Path to PEM-encoded client certificate
+| `OTR_KEYFILE`         |       |               | Path to PEM-encoded client key


 Note that options passed to `ot-recorder` override both configuration file settings and environment variables.
--- a/recorder.c
+++ b/recorder.c
@@ -1208,6 +1208,9 @@ int main(int argc, char **argv)
 	udata.clientid		= NULL;
 	udata.topics		= NULL;
 	udata.cafile		= NULL;
+	udata.capath		= NULL;
+	udata.certfile		= NULL;
+	udata.keyfile		= NULL;
 #endif
 	udata.ignoreretained	= TRUE;
 	udata.skipdemo		= TRUE;
@@ -1280,6 +1283,24 @@ int main(int argc, char **argv)
 		ud->cafile = strdup(p);
 	}

+	if ((p = getenv("OTR_CAPATH")) != NULL) {
+		if (ud->capath)
+			free(ud->capath);
+		ud->capath = strdup(p);
+	}
+
+	if ((p = getenv("OTR_CERTFILE")) != NULL) {
+		if (ud->certfile)
+			free(ud->certfile);
+		ud->certfile = strdup(p);
+	}
+
+	if ((p = getenv("OTR_KEYFILE")) != NULL) {
+		if (ud->keyfile)
+			free(ud->keyfile);
+		ud->keyfile = strdup(p);
+	}
+
 #endif
 	if ((p = getenv("OTR_BROWSERAPIKEY")) != NULL) {
 		if (ud->browser_apikey)
@@ -1603,9 +1624,9 @@ int main(int argc, char **argv)

 			rc = mosquitto_tls_set(mosq,
 				ud->cafile,		/* cafile */
-				NULL,			/* capath */
-				NULL,			/* certfile */
-				NULL,			/* keyfile */
+				ud->capath,		/* capath */
+				ud->certfile,		/* certfile */
+				ud->keyfile,		/* keyfile */
 				NULL			/* pw_callback() */
 				);
 			if (rc != MOSQ_ERR_SUCCESS) {
@@ -1760,6 +1781,9 @@ int main(int argc, char **argv)
 	free(ud->hostname);
 	if (ud->clientid) free(ud->clientid);
 	if (ud->cafile) free(ud->cafile);
+	if (ud->capath) free(ud->capath);
+	if (ud->certfile) free(ud->certfile);
+	if (ud->keyfile) free(ud->keyfile);
 #endif

 	return (0);
--- a/udata.h
+++ b/udata.h
@@ -23,6 +23,9 @@ struct udata {
 	char *password;			/* MQTT password */
 	char *clientid;			/* MQTT clientid */
 	char *cafile;			/* path to CA PEM for MQTT */
+	char *capath;			/* CA path */
+	char *certfile;			/* certificate (client) */
+	char *keyfile;			/* client key */
 #endif
 	int skipdemo;			/* True if _demo users are to be skipped */
 	int revgeo;			/* True (default) if we should do reverse Geo lookups */