Guys,
I realized some stuff are now available in the dev branch. Unfortunately, I am not fully satisfied with it. Thus, decided to progress on this.
Please have a look to my proposal in my fork:
New SSL implementation
- You are now able to submit up to three Certificate Authorities to validate the mqtt broker certificate.
I made tests with Let's Encrypt and you may need to store three root Certificate Authorities to validate a server signed by them. Please see Chain of Trust - Let's Encrypt - You are now able to validate with the mqtt broker fingerprint if the previous point doesn't fit. it's easier, but less secure and less convenient. While root Certificate Authorities are updated rarely (some are valid more than 10 years), the fingerprint should be updated each time the mqtt broker certificate is updated. With Let's Encrypt it's every quarter.
- At last, if you don't have a root Certificate Authority nor the fingerprint, you are good to go with insecure connection. The mqtt broker certificate is not validated. This setup is automatic if previous two setups are not done.
- If required by the mqtt broker, you can setup a client certificate and key. This is not mandatory, only if required by the mqtt broker.
I'll perform some further tests, as my original development are done in 2.3.2, and if it works, will submit my changes to the development branch.
Thx and regards,
Eric.