You need to call tls_set()
to enable TLS mode. If you don't do this, the client will attempt to connect without using TLS. You can call tls_set()
without setting a client side certificate or key by setting those parameters to NULL
in C or None
in Python, but the CA certificate is always required, unless you are using TLS-PSK. In Python, the default if not specified is for the certificate and key file to be passed as None
, so you can use for example:
mq.tls_set(mqttCafile)
If require_certificate
is true, you need to pass a valid client certificate and key alongside your CA certificate otherwise the broker will reject your connection.
It isn't possible to have a single listener deal with clients that want to connect both with and without TLS, but you can create multiple listeners so one is listening on port 1883 without TLS and one on 8883 with TLS, for example.