From 2070279e075629d7605e150f260705b262b93be5 Mon Sep 17 00:00:00 2001
From: Giovanni Condello <condellog@gmail.com>
Date: Wed, 24 Jun 2026 23:09:48 +0200
Subject: [PATCH 1/2] fix(tls): only apply tls_insecure when a custom CA cert
 is configured

tls_insecure was set for any TLS connection where hostname checking was
disabled, not just the self-signed/custom-CA scenario it was intended for.
With a public CA cert (the default case), hostname verification should
never be bypassed. The warning log already required tls_server_cert_path;
align the tls_insecure condition to match.
---
 src/publisher/mqtt_publisher.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/publisher/mqtt_publisher.py b/src/publisher/mqtt_publisher.py
index b6de247..6513bd0 100644
--- a/src/publisher/mqtt_publisher.py
+++ b/src/publisher/mqtt_publisher.py
@@ -85,7 +85,9 @@ async def __run_loop(self) -> None:
             clean_session=True,
             tls_context=ssl_context,
             tls_insecure=bool(
-                ssl_context and not self.configuration.tls_server_cert_check_hostname
+                ssl_context
+                and self.configuration.tls_server_cert_path
+                and not self.configuration.tls_server_cert_check_hostname
             ),
             will=aiomqtt.Will(
                 topic=self.get_topic(mqtt_topics.INTERNAL_LWT, False),

From c16515e216eea3fccc432ed9950909a6f778b294 Mon Sep 17 00:00:00 2001
From: Giovanni Condello <condellog@gmail.com>
Date: Wed, 24 Jun 2026 23:11:10 +0200
Subject: [PATCH 2/2] fix(tls): warn on hostname-check bypass regardless of
 custom CA cert

The warning "Skipping hostname check" was only emitted when a custom CA
cert path was also configured. Users connecting with self-signed certs
(no CA file) or by IP address would disable hostname verification silently.

Move the warning outside the tls_server_cert_path block so it fires for
any TLS connection where tls_server_cert_check_hostname=False, and drop
the spurious tls_server_cert_path guard on tls_insecure.
---
 src/publisher/mqtt_publisher.py | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/src/publisher/mqtt_publisher.py b/src/publisher/mqtt_publisher.py
index 6513bd0..d7cc9b6 100644
--- a/src/publisher/mqtt_publisher.py
+++ b/src/publisher/mqtt_publisher.py
@@ -70,10 +70,10 @@ async def __run_loop(self) -> None:
                 ssl_context.load_verify_locations(
                     cafile=self.configuration.tls_server_cert_path
                 )
-                if not self.configuration.tls_server_cert_check_hostname:
-                    LOG.warning(
-                        f"Skipping hostname check for TLS connection to {self.host}"
-                    )
+            if not self.configuration.tls_server_cert_check_hostname:
+                LOG.warning(
+                    f"Skipping hostname check for TLS connection to {self.host}"
+                )
 
         client = aiomqtt.Client(
             hostname=self.host,
@@ -85,9 +85,7 @@ async def __run_loop(self) -> None:
             clean_session=True,
             tls_context=ssl_context,
             tls_insecure=bool(
-                ssl_context
-                and self.configuration.tls_server_cert_path
-                and not self.configuration.tls_server_cert_check_hostname
+                ssl_context and not self.configuration.tls_server_cert_check_hostname
             ),
             will=aiomqtt.Will(
                 topic=self.get_topic(mqtt_topics.INTERNAL_LWT, False),