From 3a54a1f0a46d151c8b37cfa72484d9ee884edace Mon Sep 17 00:00:00 2001
From: Andreas Granig <andreas@granig.com>
Date: Tue, 4 Oct 2022 09:26:56 -0400
Subject: [PATCH] Squashed commit of the following:

commit 025f56212da3396c6e77d2ecdfbe184d85e1e20e
Author: Andreas Granig <andreas@granig.com>
Date:   Tue Oct 4 14:23:01 2022 +0200

    Document the mqtt-tls-alpn option

commit e6cc320d192b217a1629ad05abdb9689fe434167
Author: Andreas Granig <andreas@granig.com>
Date:   Mon Oct 3 21:41:14 2022 +0200

    Add TLS ALPN option to be set when connecting MQTT

    This is required to be set to "mqtt" for instance when connecting
    to the AWS IoT Core data endpoint at port 443 to indicate we're
    sending MQTT, because in that case websocket and mqtt shares the same
    port for whatever reason.

Change-Id: I6a391e815411b178187ef42aa009e45853d1c388
---
 daemon/main.c        | 1 +
 daemon/mqtt.c        | 8 ++++++++
 daemon/rtpengine.pod | 5 ++++-
 etc/rtpengine.conf   | 1 +
 include/main.h       | 1 +
 5 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/daemon/main.c b/daemon/main.c
index fe630c7de..f4ef249b3 100644
--- a/daemon/main.c
+++ b/daemon/main.c
@@ -559,6 +559,7 @@ static void options(int *argc, char ***argv) {
 #ifdef HAVE_MQTT
 		{ "mqtt-host",0,0,	G_OPTION_ARG_STRING,	&rtpe_config.mqtt_host,	"Mosquitto broker host or address",	"HOST|IP"},
 		{ "mqtt-port",0,0,	G_OPTION_ARG_INT,	&rtpe_config.mqtt_port,	"Mosquitto broker port number",		"INT"},
+		{ "mqtt-tls-alpn",0,0,	G_OPTION_ARG_STRING,	&rtpe_config.mqtt_tls_alpn,	"Mosquitto broker TLS ALPN",	"STRING"},
 		{ "mqtt-id",0,0,	G_OPTION_ARG_STRING,	&rtpe_config.mqtt_id,	"Mosquitto client ID",			"STRING"},
 		{ "mqtt-keepalive",0,0,	G_OPTION_ARG_INT,	&rtpe_config.mqtt_keepalive,"Seconds between mosquitto keepalives","INT"},
 		{ "mqtt-user",0,0,	G_OPTION_ARG_STRING,	&rtpe_config.mqtt_user,	"Username for mosquitto auth",		"USERNAME"},
diff --git a/daemon/mqtt.c b/daemon/mqtt.c
index 8e310c9b5..587b179e3 100644
--- a/daemon/mqtt.c
+++ b/daemon/mqtt.c
@@ -61,6 +61,14 @@ static int mqtt_connect(void) {
 		}
 	}
 
+    if (rtpe_config.mqtt_tls_alpn) {
+		int ret = mosquitto_string_option(mosq, MOSQ_OPT_TLS_ALPN, rtpe_config.mqtt_tls_alpn);
+		if (ret != MOSQ_ERR_SUCCESS) {
+			ilog(LOG_ERR, "Failed to set mosquitto TLS ALPN options: %s", mosquitto_strerror(errno));
+			return -1;
+		}
+    }
+
 	ret = mosquitto_connect(mosq, rtpe_config.mqtt_host, rtpe_config.mqtt_port,
 			rtpe_config.mqtt_keepalive);
 	if (ret != MOSQ_ERR_SUCCESS) {
diff --git a/daemon/rtpengine.pod b/daemon/rtpengine.pod
index a7c0cb6ed..39674277e 100644
--- a/daemon/rtpengine.pod
+++ b/daemon/rtpengine.pod
@@ -995,11 +995,14 @@ to enable authentication.
 
 =item B<--mqtt-keyfile=>I<FILE>
 
+=item B<--mqtt-tls-alpn=>I<STRING>
+
 Enable TLS to connect to Mosquitto broker, optionally with client certificate
 authentication. At least B<cafile> or B<capath> must be given to enable TLS. To
 enable client certificate authentication, both B<certfile> and B<keyfile> must
 be set. All files must be in PEM format. Password-proteted files are not
-supported.
+supported. The B<tls-alpn> can be set (e.g. mqtt) if a service like AWS IoT
+Core shares the same TLS port for two different network protocols.
 
 =item B<--mqtt-publish-qos=>B<0>|B<1>|B<2>
 
diff --git a/etc/rtpengine.conf b/etc/rtpengine.conf
index aa41dce5e..813507e6f 100644
--- a/etc/rtpengine.conf
+++ b/etc/rtpengine.conf
@@ -118,6 +118,7 @@ recording-method = proc
 
 # mqtt-host = localhost
 # mqtt-port = 1883
+# mqtt-tls-alpn = mqtt
 # mqtt-id =
 # mqtt-user = foo
 # mqtt-pass = bar
diff --git a/include/main.h b/include/main.h
index c5e3b051a..61260a774 100644
--- a/include/main.h
+++ b/include/main.h
@@ -135,6 +135,7 @@ struct rtpengine_config {
 	int			poller_per_thread;
 	char			*mqtt_host;
 	int			mqtt_port;
+	char			*mqtt_tls_alpn;
 	char			*mqtt_id;
 	int			mqtt_keepalive;
 	char			*mqtt_user;