Can I NOT key-in client.key PEM pass phrase when launching mosquitto_pub / mosquitto_sub

I'm afraid this isn't possible with mosquitto_pub/mosquitto_sub at the moment.

It is fairly trivial to add in yourself though. You just need to create a password callback function something like:

int pw_callback(char *buf, int size, int rwflag, void *userdata)
{
    char *pw;
    pw = get_password();
    strncpy(buf, pw, size);
    buf[size-1] = '\0';
    return strlen(buf);
}

And then pass that as the final argument to mosquitto_tls_set().

Hi Roger,

Thanks for your response. That solved my question.

Hi guys,

I have same problem.

I applied your suggestions @Roger

I'm trying to communicate using SSL between my mosquitto c++ client and mosquitto broker.

Yeah mosquitto_pub/mosquitto_sub are working with ssl well if you provide password phrases.

But in my c++ client i could not succeed although i created static pw_callback function and passed to it mosquitto_tls method.

Im getting below error from broker side.
May 24 18:57:53 ubuntu mosquitto[11998]: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
May 24 18:57:53 ubuntu mosquitto[11998]: Socket error on client (null), disconnecting.

Here is my pseudo codes

bool MyClass::openSession()
{
 int sslresult = tls_set(
   "/home/emin/CERTS/mosquitto/ca_certificates/ca.crt",
   "/home/emin/CERTS/mosquitto/ca_certificates/",
   "/home/emin/CERTS/mosquitto/certs/client.crt",
   "/home/emin/CERTS/mosquitto/certs/client.key",
   findpw);

        int result = connect(this->host, this->port, this->keepalive);

        if(result == MOSQ_ERR_SUCCESS && sslresult == MOSQ_ERR_SUCCESS)
  return true;
 else
  return false;
}

static int findpw(char* buf, int size, int rwflag, void* userdata)
{
    char *pw;
    pw = "test"; //here is my client.key phrase. No problem this is just for testing certs.
    strncpy(buf, pw,size);
    buf[size-1] = '\0';
    return strlen(buf);
}

Is there any suggestion guys ?

Thank you.

It looks like wrong coding in findpw()

Please refer
http://www.cplusplus.com/reference/cstring/strncpy/

You can try this and check if it work ?
static int findpw(char* buf, int size, int rwflag, void* userdata)
{
    char pw[4] = "test";
    strncpy(buf, pw, size);
    buf[size-1] = '\0';
    return strlen(buf);
}

Hi ZoeSu;

i tried that one

static int findpw(char* buf, int size, int rwflag, void* userdata)
{
    char pw[5] = "test";
    strncpy(buf,pw,size);
    buf[size-1] = '\0';
    return strlen(buf);
}

pw[4] returns error initializer-string for array of chars is too long. so then i set to 5 char and tried.
Unfortunately Result is the same. {ssl handshke fail.}

by the way as you see i passed the method findpw to (pw_callback) function pointer.
But i could not see any call for this pointer in mosuqitto.c file.

size variable is not set i guess.
interesting things are rwflag and userdata are also not used ?

Hi emin inal,

1) To avoid the IOT issues, please check mosquitto client/server version is the same or not ? for example, mosquitto server/client version in my end:
mosquitto version 1.1.3
mosquitto_pub version 1.1.3

2) You must initial struct "mosquittopp_test" before tls_set. Do you have this initialization ?
struct mosquittopp_test *mosq;

BRs,

Hi ZoeSu;

Yes i have defined a pointer to my KAConnection class instance in my main.cpp.
I called connection->openSession() from my main then i get the ssl error i mentioned in my first comment.

By the way; These are my versions;
mosquitto Broker: mosquitto version 1.3.1 (build date 2014-03-25 00:22:28+0000)
mosuqittopp client version 1.3.1

----main.cpp----

class KAConnection *connection;
int rc;
mosqpp::lib_init();
connection = new KAConnection(Uuid.c_str(),
   clientAddress.c_str(),
   serverAddress.c_str(),
   broadcastAddress.c_str(),
   url.c_str(),
   port);
---------------------------------

-my default constructor-
----------------------------------------------------
KAConnection::KAConnection(const char * id, const char * subscribedTopic, const char * publishedTopic
  , const char * broadcastTopic
  , const char * host, int port) : mosquittopp(id)
{
 this->keepalive = 60;
 this->id = id;
 this->port = port;
 this->host = host;
 this->subscribedTopic = subscribedTopic;
 this->broadcastTopic = broadcastTopic;
 this->publishedTopic = publishedTopic;
 this->reveivedMessage=false;
 this->bufferSize = 2550;
};
-----------------------------------------

-and my openSession method-
----------------------------------------------------
bool KAConnection::openSession()
{
 int sslresult = tls_set(
   "/home/emin/CERTS/mosquitto/ca_certificates/ca.crt",
   "/home/emin/CERTS/mosquitto/ca_certificates/",
   "/home/emin/CERTS/mosquitto/certs/client.crt",
   "/home/emin/CERTS/mosquitto/certs/client.key",
   findpw);
 int result = connect(this->host, this->port, this->keepalive);
 if(result == MOSQ_ERR_SUCCESS && sslresult == MOSQ_ERR_SUCCESS)
  return true;
 else
  return false;
}

static int findpw(char* buf, int size, int rwflag, void* userdata)
{
    char pw[5] = "test";
    strncpy(buf,pw,size);
    buf[size-1] = '\0';
    return strlen(buf);
}
-------------------------------------------

I think the problem is my client.key phrases not parsed and set truly.

Because i can also communicate without SSL with no problem.

mosquitto_pub/mosquitto_sub are also working with same certificates with no problem.

I've just pushed a test for this to the 1.4 branch on bitbucket, could
you try that?

https://bitbucket.org/oojah/mosquitto/commits/b64feae71fcc791b0ed0a0771c8757646010d547

It works fine for me.

You wouldn't expect the callback to be used in mosquitto directly, it
is an openssl call.

Cheers,

Roger

On Mon, May 26, 2014 at 11:56 AM, emin inal
<email address hidden> wrote:
> Question #230287 on mosquitto changed:
> https://answers.launchpad.net/mosquitto/+question/230287
>
> emin inal posted a new comment:
> Hi ZoeSu;
>
> Yes i have defined a pointer to my KAConnection class instance in my main.cpp.
> I called connection->openSession() from my main then i get the ssl error i mentioned in my first comment.
>
> By the way; These are my versions;
> mosquitto Broker: mosquitto version 1.3.1 (build date 2014-03-25 00:22:28+0000)
> mosuqittopp client version 1.3.1
>
> ----main.cpp----
>
> class KAConnection *connection;
> int rc;
> mosqpp::lib_init();
> connection = new KAConnection(Uuid.c_str(),
> clientAddress.c_str(),
> serverAddress.c_str(),
> broadcastAddress.c_str(),
> url.c_str(),
> port);
> ---------------------------------
>
>
> -my default constructor-
> ----------------------------------------------------
> KAConnection::KAConnection(const char * id, const char * subscribedTopic, const char * publishedTopic
> , const char * broadcastTopic
> , const char * host, int port) : mosquittopp(id)
> {
> this->keepalive = 60;
> this->id = id;
> this->port = port;
> this->host = host;
> this->subscribedTopic = subscribedTopic;
> this->broadcastTopic = broadcastTopic;
> this->publishedTopic = publishedTopic;
> this->reveivedMessage=false;
> this->bufferSize = 2550;
> };
> -----------------------------------------
>
>
> -and my openSession method-
> ----------------------------------------------------
> bool KAConnection::openSession()
> {
> int sslresult = tls_set(
> "/home/emin/CERTS/mosquitto/ca_certificates/ca.crt",
> "/home/emin/CERTS/mosquitto/ca_certificates/",
> "/home/emin/CERTS/mosquitto/certs/client.crt",
> "/home/emin/CERTS/mosquitto/certs/client.key",
> findpw);
> int result = connect(this->host, this->port, this->keepalive);
> if(result == MOSQ_ERR_SUCCESS && sslresult == MOSQ_ERR_SUCCESS)
> return true;
> else
> return false;
> }
>
> static int findpw(char* buf, int size, int rwflag, void* userdata)
> {
> char pw[5] = "test";
> strncpy(buf,pw,size);
> buf[size-1] = '\0';
> return strlen(buf);
> }
> -------------------------------------------
>
> I think the problem is my client.key phrases not parsed and set truly.
>
> Because i can also communicate without SSL with no problem.
>
> --
> You received this question notification because you are a member of
> Mosquitto PPA, which is an answer contact for mosquitto.

Hi @Roger

I downloaded 1.4 branch.

the server.crt and server.key are signed by all-ca.crt.
and client-encrypted.crt & client-encrypted.key will be used for clint side.

But how should I configure to the mosquitto broker ? i did this configuration on my local mosquitto broker;
-----------------------mosquitto.conf-------------------
bind_address 0.0.0.0
port 1883
max_connections -1
cafile /home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl/all-ca.crt
capath /home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl
certfile /home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl/server.crt
keyfile /home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl/server.key
require_certificate true
persistence true
persistence_location /var/lib/mosquitto/
log_dest syslog
---------------------------------------------------------------

However I notice that under the below folder
~/test/lib/cpp$

"08-ssl-connect-cert-auth-enc.test" executable not connected to localhost broker at all. I could not see any request on logs ?

What should you suggest ?

BRs.

Try "make test" from the source directory. If it doesn't give an error,
everything worked fine.
On May 26, 2014 6:36 PM, "emin inal" <email address hidden>
wrote:

> Question #230287 on mosquitto changed:
> https://answers.launchpad.net/mosquitto/+question/230287
>
> emin inal posted a new comment:
> Hi @Roger
>
> I downloaded 1.4 branch.
>
> the server.crt and server.key are signed by all-ca.crt.
> and client-encrypted.crt & client-encrypted.key will be used for clint
> side.
>
>
> But how should I configure to the mosquitto broker ? i did this
> configuration on my local mosquitto broker;
> -----------------------mosquitto.conf-------------------
> bind_address 0.0.0.0
> port 1883
> max_connections -1
> cafile /home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl/all-ca.crt
> capath /home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl
> certfile /home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl/server.crt
> keyfile /home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl/server.key
> require_certificate true
> persistence true
> persistence_location /var/lib/mosquitto/
> log_dest syslog
> ---------------------------------------------------------------
>
> However I notice that under the below folder
> ~/test/lib/cpp$
>
> "08-ssl-connect-cert-auth-enc.test" executable not connected to
> localhost broker at all. I could not see any request on logs ?
>
> What should you suggest ?
>
> BRs.
>
> --
> You received this question notification because you are a member of
> Mosquitto PPA, which is an answer contact for mosquitto.
>

Or do:

cd test/lib
make test-compile
./08-ssl-connect-cert-auth-enc.py cpp/08-ssl-connect-cert-auth-enc.test

The config file listens on port 1888.

On Mon, May 26, 2014 at 7:02 PM, Roger Light
<email address hidden> wrote:
> Question #230287 on mosquitto changed:
> https://answers.launchpad.net/mosquitto/+question/230287
>
> Roger Light posted a new comment:
> Try "make test" from the source directory. If it doesn't give an error,
> everything worked fine.
> On May 26, 2014 6:36 PM, "emin inal" <email address hidden>
> wrote:
>
>> Question #230287 on mosquitto changed:
>> https://answers.launchpad.net/mosquitto/+question/230287
>>
>> emin inal posted a new comment:
>> Hi @Roger
>>
>> I downloaded 1.4 branch.
>>
>> the server.crt and server.key are signed by all-ca.crt.
>> and client-encrypted.crt & client-encrypted.key will be used for clint
>> side.
>>
>>
>> But how should I configure to the mosquitto broker ? i did this
>> configuration on my local mosquitto broker;
>> -----------------------mosquitto.conf-------------------
>> bind_address 0.0.0.0
>> port 1883
>> max_connections -1
>> cafile /home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl/all-ca.crt
>> capath /home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl
>> certfile /home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl/server.crt
>> keyfile /home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl/server.key
>> require_certificate true
>> persistence true
>> persistence_location /var/lib/mosquitto/
>> log_dest syslog
>> ---------------------------------------------------------------
>>
>> However I notice that under the below folder
>> ~/test/lib/cpp$
>>
>> "08-ssl-connect-cert-auth-enc.test" executable not connected to
>> localhost broker at all. I could not see any request on logs ?
>>
>> What should you suggest ?
>>
>> BRs.
>>
>> --
>> You received this question notification because you are a member of
>> Mosquitto PPA, which is an answer contact for mosquitto.
>>
>
> --
> You received this question notification because you are a member of
> Mosquitto PPA, which is an answer contact for mosquitto.

Hi @Roger
make test gave success on 1.4 branch.

But I manually want to test "08-ssl-connect-cert-auth-enc.test".
then i start mosquitto broker(mosquitto -c 08-ssl-connect-cert-auth.conf -v -d)
using "08-ssl-connect-cert-auth.conf" file.

Firstly is this true conf file for that ?

Because client site returns
1401176525: Client connection from 127.0.0.1 failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol.

Interesting thing is that;

although 08-ssl-connect-cert-auth-enc.test is not working, and i also tested with my software it gives another problem

1401178373: New connection from 127.0.0.1 on port 1888.
1401178373: OpenSSL Error: error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
1401178373: Socket error on client (null), disconnecting.

mosquitto pub/sub are working with this broker and below certificates. (mosquitto -c 08-ssl-connect-cert-auth.conf -v -d)

here is my config.
./mosquitto_sub -h localhost -p 1888 -t "SERVICE_TOPIC" --cafile /home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl/all-ca.crt --capath /home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl/ --cert /home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl/client-encrypted.crt --key /home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl/client-encrypted.key -d

key phrase for client-encrypted.key is "password".

oh I found the issue. Thats my bad. :(

I execute 08-ssl-connect-cert-auth-enc.test from "~/test/lib/cpp"
I checked this code. It was trying to read "../ssl/" but i recognize that it should be ."./../ssl"

so then i changed and set exact path for certs and recompiled. with below line.

mosq->tls_set("/home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl/all-ca.crt", NULL, "/home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl/client-encrypted.crt", "/home/emin/roger/oojah-mosquitto-b64feae71fcc/test/ssl/client-encrypted.key", password_callback);

08-ssl-connect-cert-auth-enc.test working now..

now i will investigate my code deeply. There is something wrong that im doing now.

Thank you very much guys @Roger @ZoeSu
BRs
-Emin

@guys

I have found the source oft the problem.

It wass about "libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0" shared library.

In my application i was compiled my program as a statically. Now I disabled "ssl.a"
then My client working fine. I think there is a problem on statistically compiled ssl library on ubuntu 12.04 LTE.

Finally i also want to integrate my client to ActiveMQ mqtt broker with SSL support

Do you have any suggestion @guys ? I have some problems about certificates.

here is the link of my question: https://answers.launchpad.net/mosquitto/+question/249281

Thanks in advance.
My Best Regards
-Emin