Hello, We try to use mosquitto mqtt messages with tls security protocol.
To do so, we follow the following tutorial: https://primalcortex.wordpress.com/2016/03/31/mqtt-mosquitto-broker-with-ssltls-transport-security/ to generate the authority certificate file and the server certificate we use this script https://github.com/owntracks/tools/blob/master/TLS/generate-CA.sh This tutorial seems complete and well done as we successfully connect several machines by following this method. Nevertheless when trying to configure the broker on our server we encounter several problems. In the server the mosquitto.conf content is : # A full description of the configuration file is at # /usr/share/doc/mosquitto/examples/mosquitto.conf.example pid_file /var/run/mosquitto.pid persistence true persistence_location /var/lib/mosquitto/ log_dest file /var/log/mosquitto/mosquitto.log listener 8884 cafile /etc/mosquitto/certs3/ca.crt certfile /etc/mosquitto/certs3/server.crt keyfile /etc/mosquitto/certs3/server.key Mosquitto version is 1.4.10 and Openssl version is 1.0.2j When trying to subcribe or publish on port 8884 locally (ie from a client also on the server), no problem, the connection success. But when we try to connect from an other machine we get different error if we use command line or mosqutto C library - With command line mosquitto_pub -h xxx.xxx.com -t test -m "hello word" --cafile /etc/mosquitto/certs/ca.crt -p 8884 On server log file 1484748728: OpenSSL Error: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown And ssldump gives the following exit: 0.0384 (0.0384) C>S Handshake ClientHello Version 3.3 cipher suites Unknown value 0xc030 Unknown value 0xc02c Unknown value 0xc028 Unknown value 0xc024 Unknown value 0xc014 Unknown value 0xc00a Unknown value 0xa3 Unknown value 0x9f Unknown value 0x6b Unknown value 0x6a TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA Unknown value 0x88 Unknown value 0x87 Unknown value 0xc032 Unknown value 0xc02e Unknown value 0xc02a Unknown value 0xc026 Unknown value 0xc00f Unknown value 0xc005 Unknown value 0x9d Unknown value 0x3d TLS_RSA_WITH_AES_256_CBC_SHA Unknown value 0x84 Unknown value 0xc02f Unknown value 0xc02b Unknown value 0xc027 Unknown value 0xc023 Unknown value 0xc013 Unknown value 0xc009 Unknown value 0xa2 Unknown value 0x9e TLS_DHE_DSS_WITH_NULL_SHA Unknown value 0x40 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA Unknown value 0x9a Unknown value 0x99 Unknown value 0x45 Unknown value 0x44 Unknown value 0xc031 Unknown value 0xc02d Unknown value 0xc029 Unknown value 0xc025 Unknown value 0xc00e Unknown value 0xc004 Unknown value 0x9c Unknown value 0x3c TLS_RSA_WITH_AES_128_CBC_SHA Unknown value 0x96 Unknown value 0x41 Unknown value 0xc011 Unknown value 0xc007 Unknown value 0xc00c Unknown value 0xc002 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 Unknown value 0xc012 Unknown value 0xc008 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA Unknown value 0xc00d Unknown value 0xc003 TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xff compression methods NULL 1 2 0.0415 (0.0030) S>C Handshake ServerHello Version 3.3 session_id[0]= cipherSuite Unknown value 0xc030 compressionMethod NULL 1 3 0.0415 (0.0000) S>C Handshake Certificate 1 4 0.0415 (0.0000) S>C Handshake ServerKeyExchange 1 5 0.0415 (0.0000) S>C Handshake ServerHelloDone 1 6 0.0783 (0.0368) C>S Alert level fatal value certificate_unknown 1 0.0785 (0.0002) S>C TCP FIN We try and get the same result with machine on which openssl 1.0.2j is installed with mosquitto 1.4.10 than on a machine on which oppenssl 1.0.1t is installed with mosquitto version 1.3.4. when using the insecure option, it is working well mosquitto_pub -h xx.xxx.com -t test -m "hello word" --cafile /etc/mosquitto/certs/ca.crt -p 8884 –insecure but it is not our goal. -When using C mosquitto library : openssl-1.1.0c mosquitto 1.4.10 c-code implementation: err = mosquitto_tls_set(poMosq, "/etc/mosquitto/certs/ca.crt", "/etc/mosquitto/certs/", NULL, NULL, NULL ); 1484747462: OpenSSL Error: error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error C>S Handshake ClientHello Version 3.3 cipher suites Unknown value 0xc030 Unknown value 0xc02c Unknown value 0xc028 Unknown value 0xc024 Unknown value 0xc014 Unknown value 0xc00a Unknown value 0xa5 Unknown value 0xa3 Unknown value 0xa1 Unknown value 0x9f Unknown value 0x6b Unknown value 0x6a Unknown value 0x69 Unknown value 0x68 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DH_DSS_WITH_AES_256_CBC_SHA Unknown value 0x88 Unknown value 0x87 Unknown value 0x86 Unknown value 0x85 Unknown value 0xc032 Unknown value 0xc02e Unknown value 0xc02a Unknown value 0xc026 Unknown value 0xc00f Unknown value 0xc005 Unknown value 0x9d Unknown value 0x3d TLS_RSA_WITH_AES_256_CBC_SHA Unknown value 0x84 Unknown value 0xc02f Unknown value 0xc02b Unknown value 0xc027 Unknown value 0xc023 Unknown value 0xc013 Unknown value 0xc009 Unknown value 0xa4 Unknown value 0xa2 Unknown value 0xa0 Unknown value 0x9e TLS_DHE_DSS_WITH_NULL_SHA Unknown value 0x40 Unknown value 0x3f Unknown value 0x3e TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS_DH_DSS_WITH_AES_128_CBC_SHA Unknown value 0x9a Unknown value 0x99 Unknown value 0x98 Unknown value 0x97 Unknown value 0x45 Unknown value 0x44 Unknown value 0x43 Unknown value 0x42 Unknown value 0xc031 Unknown value 0xc02d Unknown value 0xc029 Unknown value 0xc025 Unknown value 0xc00e Unknown value 0xc004 Unknown value 0x9c Unknown value 0x3c TLS_RSA_WITH_AES_128_CBC_SHA Unknown value 0x96 Unknown value 0x41 TLS_RSA_WITH_IDEA_CBC_SHA Unknown value 0xc011 Unknown value 0xc007 Unknown value 0xc00c Unknown value 0xc002 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 Unknown value 0xc012 Unknown value 0xc008 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Unknown value 0xc00d Unknown value 0xc003 TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xff compression methods NULL 1 2 0.0426 (0.0032) S>C Handshake ServerHello Version 3.3 session_id[0]= cipherSuite Unknown value 0xc030t compressionMethod NULL 1 3 0.0426 (0.0000) S>C Handshake Certificate 1 4 0.0426 (0.0000) S>C Handshake ServerKeyExchange 1 5 0.0426 (0.0000) S>C Handshake ServerHelloDone 1 6 0.0770 (0.0344) C>S Alert level fatal We check if the common name on the certificate server is good and it corresponds to the hostname used to connect the server, so the problem does not seems to come from here. We will be very grateful if you could give us some ideas about how to debug this problem.
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users