Is there any method of disabling the check of the validity period of the servers certificate ?
What I’m trying to achieve is on first boot, or when the board has forgotten the time to not check the validity period, but once the time is set check the validity period.
Hi,
not sure, if you are asking about the mosquitto client command line tools or a self implemented MQTT client based on the libmosquitto. But as the command line tools are base on the libmosquitto it makes no difference.
The TLS part of the mosquitto clients is based on the popular OpenSSL library. But checking the Server CERT is default behavior of the openSSL lib when establishing a connection to the server. Right now it is possible to use the --insecure option to ignore the server identity. But this way only the CN of the server CERT will not be checked against the connection server name. Neverless the client will check the server CERT using CA-chain (and this includes validity checks).
So out of the box it’s not possible to ignore the SSL error (which will occur in such a situation) and still connect to the server. E.g. the required CA-chain still has to be in place (and valid as well).
Ignoring the Server CERT in general is from security perspective not a good idea. This way an attacker way intercept the connection and will easily get the MQTT credentials.
Best way from my perspective would be to use a time sync protocol like NTP to synchronize the client. And create the connection once the time is synced.