From 91fc4a073f8be5340f0e846dacc9efa2ff27e841 Mon Sep 17 00:00:00 2001
From: Joshua Storch <mail@jstorch.net>
Date: Thu, 3 Aug 2023 21:04:03 +0200
Subject: [PATCH] feat: allow upstream mqtts connections without providing a
 client certificate

---
 ioxy/mqtt-session.go | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/ioxy/mqtt-session.go b/ioxy/mqtt-session.go
index e98735a..eefdb5e 100644
--- a/ioxy/mqtt-session.go
+++ b/ioxy/mqtt-session.go
@@ -77,17 +77,20 @@ func (session *Session) forwardHalf(way string, c1 net.Conn, c2 net.Conn) {
 func (session *Session) DialOutbound() error {
 	addr := mqttBrokerHost + ":" + strconv.Itoa(mqttBrokerPort)
 	if mqttBrokerTLS {
-		cert, err := tls.X509KeyPair([]byte(mqttBrokerClientCert), []byte(mqttBrokerClientKey))
-		if err != nil {
-			log.Fatalf("server: loadkeys: %s", err)
-			return err
+		config := tls.Config{InsecureSkipVerify: true}
+		if mqttBrokerClientCert != "" && mqttBrokerClientKey != "" {
+			cert, err := tls.X509KeyPair([]byte(mqttBrokerClientCert), []byte(mqttBrokerClientKey))
+			if err != nil {
+				log.Fatalf("server: loadkeys: %s", err)
+				return err
+			}
+			config.Certificates = []tls.Certificate{cert}
+		} else {
+			log.Info("Establishing mqtts connection to upstream without client certificate")
 		}
-		var config tls.Config
 		if amazonMqttProtocol {
 			// Check if CA is needed
-			config = tls.Config{Certificates: []tls.Certificate{cert}, InsecureSkipVerify: true, NextProtos: []string{"x-amzn-mqtt-ca"}}
-		} else {
-			config = tls.Config{Certificates: []tls.Certificate{cert}, InsecureSkipVerify: true}
+			config.NextProtos = []string{"x-amzn-mqtt-ca"}
 		}
 		client, err := tls.Dial("tcp", addr, &config)
 		if err != nil {