I just found out that a CAfile is required to start TLS listener. That does not really make sense.
CAfile/CApath is needed when we have clients authorising with certs or have a bridge TLS connection, but not just to start a TLS listener. I would kindly propose that this is changed so that a TLS server can be enabled without a set of CA certificates that is not normally used to set up a TLS server only.
I'm sure you'll agree that all certificate based servers need a CA certificate (or are self signed, in which case they are their own CA certificate). cafile and capath are simply the means of configuring the CA files for your server. It is a deliberate decision to not include the entirety of CA certificates on the system in the configuration, it is up to the user to decide what is appropriate.
No, I do not agree. In order to be a TLS SERVER, all you need is the server cert and the private key. The clients will have to have the CA cert to verify your server's certificate. This is the configuration that can't be done today.
If you require client certificates, that's another story and you then need a CA cert to verify the clients. That's pretty unusual, but a good use case.
If you are a client with outbound connections you need the CA cert to be able to verify, but then you do not need your own cert (unless the server requests client certs).
I agree with the OP @oej .
A broker listener that want's to identify itself with a TLS certificate, plus encrypt the data flow with the same certificate, doesn't logically need to know what Certificate Authority certifies the authenticity of it's own TLS certificate.
OTOH, a client connecting to the broker and wanting to verify that the broker is "who it says it is" will need access to at least one trusted Certificate Authority certificate authenticating the broker.
Of course, should the broker require the client(s) to identify with TLS certificate(s), then (and only then) the broker will need access to a Certificate Authority TLS certificate that authenticates the client's TLS certificate(s).
As a conclusion: If the Broker is configured to authenticate itself without requiring the client(s) to do the same, then the Broker should not need access to any CA certificate.
Could this Issue #517 please become approved (or in worst case, denied) so that we could know what to expect for this feature in a future release?
Regards
I also think that a CA cert should not be required.
Changing this now would be a breaking change, so it could be considered for a 2.0 release, but not before.
@ralight Why breaking? Configurations specifying CAfile would still work as before.
This is definitely an issue. I'm now in situation (certificate generated by AWS) when I do not have the CA certificate. I have had a hard time to find that missing cafile or capathis responsible for connection errors because error message was not even mentioning it.
Most helpful comment
No, I do not agree. In order to be a TLS SERVER, all you need is the server cert and the private key. The clients will have to have the CA cert to verify your server's certificate. This is the configuration that can't be done today.
If you require client certificates, that's another story and you then need a CA cert to verify the clients. That's pretty unusual, but a good use case.
If you are a client with outbound connections you need the CA cert to be able to verify, but then you do not need your own cert (unless the server requests client certs).