diff --git a/config-example.yaml b/config-example.yaml index 6735e6cf..59bf8a3c 100644 --- a/config-example.yaml +++ b/config-example.yaml @@ -170,6 +170,9 @@ mqtt: #retain: 1 encryption: + # Whether to enable a TLS encrypted connection to your MQTT broker. + enable: False + # Encryption Options for encrypted broker connections # These settings will be passed to the `tls_set()` method. Please refer # to the Paho client documentation for details: @@ -177,8 +180,9 @@ mqtt: # A string path to the Certificate Authority certificate files that are to # be treated as trusted by this client. - # A Certificate Authority cert is REQUIRED for any encrypted connection. - # an encrypted connection will not be attempted unless this is specified. + # WARNING: If a ca_cert is specified, encryption will be enabled. You should + # however use the enable setting above as this is a deprecated way to enable + # encryption. # ca_cert: # Client certificate and private key - Optional diff --git a/insteon_mqtt/cmd_line/util.py b/insteon_mqtt/cmd_line/util.py index 4af6aa05..00a84eaa 100644 --- a/insteon_mqtt/cmd_line/util.py +++ b/insteon_mqtt/cmd_line/util.py @@ -85,22 +85,25 @@ def send(config, topic, payload, quiet=False): encryption = config["mqtt"].get('encryption', {}) if encryption is None: encryption = {} + addl_tls_kwargs = {} ca_cert = encryption.get('ca_cert', None) - if ca_cert is not None and ca_cert != "": + enable_tls = encryption.get('enable', None) + if (ca_cert is not None and ca_cert != "") or enable_tls: # Set the basic arguments + if ca_cert is not None and ca_cert != "": + addl_tls_kwargs['ca_certs'] = ca_cert certfile = encryption.get('certfile', None) - if certfile == "": - certfile = None + if certfile is not None and certfile != "": + addl_tls_kwargs['certfile'] = certfile keyfile = encryption.get('keyfile', None) - if keyfile == "": - keyfile = None + if keyfile is not None and keyfile != "": + addl_tls_kwargs['keyfile'] = keyfile ciphers = encryption.get('ciphers', None) - if ciphers == "": - ciphers = None + if ciphers is not None and ciphers != "": + addl_tls_kwargs['ciphers'] = ciphers # These require passing specific constants so we use a lookup # map for them. - addl_tls_kwargs = {} tls_ver = encryption.get('tls_version', 'tls') tls_version_const = TLS_VER_OPTIONS.get(tls_ver, None) if tls_version_const is not None: @@ -112,10 +115,7 @@ def send(config, topic, payload, quiet=False): # Finally, try the connection try: - client.tls_set(ca_certs=ca_cert, - certfile=certfile, - keyfile=keyfile, - ciphers=ciphers, **addl_tls_kwargs) + client.tls_set(**addl_tls_kwargs) except FileNotFoundError as e: print("Cannot locate a SSL/TLS file = %s.", e) diff --git a/insteon_mqtt/data/config-base.yaml b/insteon_mqtt/data/config-base.yaml index c067a3d2..68fe0ba2 100644 --- a/insteon_mqtt/data/config-base.yaml +++ b/insteon_mqtt/data/config-base.yaml @@ -155,6 +155,9 @@ mqtt: retain: 1 encryption: + # Whether to enable a TLS encrypted connection to your MQTT broker. + enable: False + # Encryption Options for encrypted broker connections # These settings will be passed to the `tls_set()` method. Please refer # to the Paho client documentation for details: @@ -162,8 +165,9 @@ mqtt: # A string path to the Certificate Authority certificate files that are to # be treated as trusted by this client. - # A Certificate Authority cert is REQUIRED for any encrypted connection. - # an encrypted connection will not be attempted unless this is specified. + # WARNING: If a ca_cert is specified, encryption will be enabled. You should + # however use the enable setting above as this is a deprecated way to enable + # encryption. # ca_cert: # Client certificate and private key - Optional diff --git a/insteon_mqtt/data/config-schema.yaml b/insteon_mqtt/data/config-schema.yaml index d5fd6ffc..75ced485 100644 --- a/insteon_mqtt/data/config-schema.yaml +++ b/insteon_mqtt/data/config-schema.yaml @@ -264,6 +264,8 @@ mqtt: nullable: True type: dict schema: + enable: + type: boolean ca_cert: type: string certfile: diff --git a/insteon_mqtt/network/Mqtt.py b/insteon_mqtt/network/Mqtt.py index 90157fc7..885ebab9 100644 --- a/insteon_mqtt/network/Mqtt.py +++ b/insteon_mqtt/network/Mqtt.py @@ -155,23 +155,26 @@ def load_config(self, config): encryption = config.get('encryption', {}) if encryption is None: encryption = {} + addl_tls_kwargs = {} ca_cert = encryption.get('ca_cert', None) - if ca_cert is not None and ca_cert != "": + enable_tls = encryption.get('enable', None) + if (ca_cert is not None and ca_cert != "") or enable_tls: LOG.info("Using TLS for MQTT broker connection.") # Set the basic arguments + if ca_cert is not None and ca_cert != "": + addl_tls_kwargs['ca_certs'] = ca_cert certfile = encryption.get('certfile', None) - if certfile == "": - certfile = None + if certfile is not None and certfile != "": + addl_tls_kwargs['certfile'] = certfile keyfile = encryption.get('keyfile', None) - if keyfile == "": - keyfile = None + if keyfile is not None and keyfile != "": + addl_tls_kwargs['keyfile'] = keyfile ciphers = encryption.get('ciphers', None) - if ciphers == "": - ciphers = None + if ciphers is not None and ciphers != "": + addl_tls_kwargs['ciphers'] = ciphers # These require passing specific constants so we use a lookup # map for them. - addl_tls_kwargs = {} tls_ver = encryption.get('tls_version', 'tls') tls_version_const = self.TLS_VER_OPTIONS.get(tls_ver, None) if tls_version_const is not None: @@ -183,10 +186,7 @@ def load_config(self, config): # Finally, try the connection try: - self.client.tls_set(ca_certs=ca_cert, - certfile=certfile, - keyfile=keyfile, - ciphers=ciphers, **addl_tls_kwargs) + self.client.tls_set(**addl_tls_kwargs) except FileNotFoundError as e: LOG.error("Cannot locate a SSL/TLS file = %s.", e) sys.exit()