Skip to content

Commit c0c33d5

Browse files
nanomadnanomad
authored
Merge pull request #362 from bj00rn/feat/add-check-hostname-option
Add option to skip hostname check when using custom certificate
2 parents 8f6b0d5 + 4832337 commit c0c33d5

File tree

4 files changed

+34
-11
lines changed

4 files changed

+34
-11
lines changed

README.md

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -44,15 +44,16 @@ The following are the known available endpoints:
4444

4545
### MQTT Broker
4646

47-
| CMD param | ENV variable | Description |
48-
|---------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
49-
| -m or --mqtt-uri | MQTT_URI | URI to the MQTT Server. TCP: tcp://mqtt.eclipseprojects.io:1883, WebSocket: ws://mqtt.eclipseprojects.io:9001 or TLS: tls://mqtt.eclipseprojects.io:8883 - Leave it empty to disable MQTT connection |
50-
| --mqtt-server-cert | MQTT_SERVER_CERT | Path to the server certificate authority file in PEM format is required for TLS |
51-
| --mqtt-user | MQTT_USER | MQTT user name |
52-
| --mqtt-password | MQTT_PASSWORD | MQTT password |
53-
| --mqtt-client-id | MQTT_CLIENT_ID | MQTT Client Identifier. Defaults to saic-python-mqtt-gateway. |
54-
| --mqtt-topic-prefix | MQTT_TOPIC | Provide a custom MQTT prefix to replace the default: saic |
55-
| | MQTT_LOG_LEVEL | Log level of the MQTT Client: INFO (default), use DEBUG for detailed output, use CRITICAL for no output, [more info](https://docs.python.org/3/library/logging.html#levels) |
47+
| CMD param | ENV variable | Description |
48+
|-----------------------------------|---------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
49+
| -m or --mqtt-uri | MQTT_URI | URI to the MQTT Server. TCP: tcp://mqtt.eclipseprojects.io:1883, WebSocket: ws://mqtt.eclipseprojects.io:9001 or TLS: tls://mqtt.eclipseprojects.io:8883 - Leave it empty to disable MQTT connection |
50+
| --mqtt-server-cert | MQTT_SERVER_CERT | Path to the server certificate authority file in PEM format is required for TLS |
51+
| --mqtt-server-cert-check-hostname | MQTT_SERVER_CERT_CHECK_HOSTNAME | Enable or disable TLS certificate hostname checking when using a custom certificate. Enabled (True) by default. Set to False when using a self-signed certificate without a matching hostname. This option might be insecure. |
52+
| --mqtt-user | MQTT_USER | MQTT user name |
53+
| --mqtt-password | MQTT_PASSWORD | MQTT password |
54+
| --mqtt-client-id | MQTT_CLIENT_ID | MQTT Client Identifier. Defaults to saic-python-mqtt-gateway. |
55+
| --mqtt-topic-prefix | MQTT_TOPIC | Provide a custom MQTT prefix to replace the default: saic |
56+
| | MQTT_LOG_LEVEL | Log level of the MQTT Client: INFO (default), use DEBUG for detailed output, use CRITICAL for no output, [more info](https://docs.python.org/3/library/logging.html#levels) |
5657

5758
### Home Assistant Integration
5859

src/configuration/__init__.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ def __init__(self) -> None:
3232
self.mqtt_port: int = 1883
3333
self.mqtt_transport_protocol: TransportProtocol = TransportProtocol.TCP
3434
self.tls_server_cert_path: str | None = None
35+
self.tls_server_cert_check_hostname: bool = True
3536
self.mqtt_user: str | None = None
3637
self.mqtt_password: str | None = None
3738
self.mqtt_client_id: str = "saic-python-mqtt-gateway"

src/configuration/parser.py

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -97,6 +97,9 @@ def __parse_mqtt_transport(args: Namespace, config: Configuration) -> None:
9797
config.mqtt_transport_protocol = TransportProtocol.TLS
9898
if args.tls_server_cert_path:
9999
config.tls_server_cert_path = args.tls_server_cert_path
100+
config.tls_server_cert_check_hostname = (
101+
args.tls_server_cert_check_hostname
102+
)
100103
else:
101104
msg = f"Invalid MQTT URI scheme: {parse_result.scheme}, use tcp or ws"
102105
raise SystemExit(msg)
@@ -156,7 +159,7 @@ def __setup_osmand(args: Namespace, config: Configuration) -> None:
156159

157160

158161
def __setup_parser() -> argparse.ArgumentParser:
159-
parser = argparse.ArgumentParser(prog="MQTT Gateway")
162+
parser = argparse.ArgumentParser(prog="MQTT Gateway", add_help=True)
160163
parser.add_argument(
161164
"-m",
162165
"--mqtt-uri",
@@ -462,6 +465,20 @@ def __setup_parser() -> argparse.ArgumentParser:
462465
default=False,
463466
type=check_bool,
464467
)
468+
parser.add_argument(
469+
"--mqtt-server-cert-check-hostname",
470+
help="Enable or disable TLS certificate hostname checking when using custom certificate."
471+
"Enabled (True) by default"
472+
"Set to (False) when using self-signed certificate without a matching hostname."
473+
"This option might be insecure."
474+
"Environment Variable: MQTT_SERVER_CERT_CHECK_HOSTNAME",
475+
dest="tls_server_cert_check_hostname",
476+
required=False,
477+
action=EnvDefault,
478+
envvar="MQTT_SERVER_CERT_CHECK_HOSTNAME",
479+
default=True,
480+
type=check_bool,
481+
)
465482
return parser
466483

467484

src/publisher/mqtt_publisher.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,11 @@ async def connect(self) -> None:
5858
if cert_uri:
5959
LOG.debug(f"Using custom CA file {cert_uri}")
6060
ssl_context.load_verify_locations(cafile=cert_uri)
61-
ssl_context.check_hostname = False
61+
if not self.configuration.tls_server_cert_check_hostname:
62+
LOG.warning(
63+
f"Skipping hostname check for TLS connection to {self.host}"
64+
)
65+
ssl_context.check_hostname = False
6266
else:
6367
ssl_context = None
6468
await self.client.connect(

0 commit comments

Comments
 (0)