MQTT with OpenSSL, Is it secure connection without using any certificate or private key..?

[rahul.b.patel]

Hello,
I am using MQTT library with OpenSSL support as given in below link:
https://github.com/tuanpmt/esp32-mqtt

In this library it does not use any x509 certification or private key structure for SSL. So I am confused little bit. Is it called secure connection without using any certificate as working of above mentioned MQTT library.? or OpenSSL library manages internally.? Even in the IDF OpenSSL library source code it does not use any API like SSL_CTX_use_certificate().

Can anybody help me in this.?
Thanks.

[kurtzweber]

Hi

if you act as a client (connect to a MQTT broker) you don't need a certificate if the MQTT broker doesn't explicitly require it (mutual authentication or SSL client authentication). When you connect, you receive the SSL server certificate of the broker and this is used to "secure" the channel.

So basically yes, the channel is secure (encrypted) even if you don't "own" a certificate... but if you don't perform any certificate verification (pinning) someone could be able to redirect your connection to a malicious MQTT broker and receive your data. This is the reason why they normally suggest to verify the the certificate you receive to be sure that the MQTT broker you're connecting to is the "real" one.

bye

[rahul.b.patel]

Hi Kurtzweber,
Its very helpful information,Thanks.