Clarification on ignoreSSLIssues for MQTT

@gopher.ny any chance you can clarify on what exactly ignoreSSLIssues does for MQTT?

Here's the situation. I connect to ssl://common.iot.aic.lgthinq.com:8883 and I get:

MqttException (0) - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

So I do an nslookup on common.iot.aic.lgthinq.com

nslookup common.iot.aic.lgthinq.com
Server:  setup.ui.com
Address:  192.168.1.1

Non-authoritative answer:
Name:    a3phael99lf879-ats.iot.us-west-2.amazonaws.com

OK, so it's just a CNAME for a3phael99lf879-ats.iot.us-west-2.amazonaws.com so I update my code to use ssl://a3phael99lf879-ats.iot.us-west-2.amazonaws.com:8883 and it succeeds. So I'm hitting the same server, the difference is just the name. My guess is that you're getting an error saying the CN on the cert doesn't match (because the cert is issued to a3phael99lf879-ats.iot.us-west-2.amazonaws.com, not common.iot.aic.lgthinq.com) but I have my MQTT connection established like this:

 interfaces.mqtt.connect(mqtt.server,
                            mqtt.clientId,
                            null,
                            null,
                            tlsVersion: "1.2",
                            privateKey: mqtt.privateKey,
                            caCertificate: mqtt.caCertificate,
                            clientCertificate: mqtt.certificate,
                            ignoreSSLIssues: true)

So the ignoreSSLIssues, I'd expect, to take care of this, but it doesn't. I can hardcode that URL so it works, but that kind of stinks (it's fragile if they ever change it). Unfortunately HE doesn't have any DNS APIs so I can't resolve the CNAME -> A -> PTR to find the real hostname either. So any thoughts on this? I'm confused why it doesn't work when I have the ignoreSSLIssues = true. Can you clarify on what kinds of SSL issues it's actually ignoring?

Unfortunately this, change by LG broke my ThinQ integration :frowning:

Can you PM me a small piece of code that results in this exception being thrown?
Unlike other interfaces, current implementation of MQTT doesn't set/disable host name verifier.
Should be a straightforward change, it's just that I don't have an endpoint to test it against.

1 Like

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.