mosquitto

Client cannot connect with generated certificates from mosquitto-tls-7

Asked by dabozz

Hi,
i followed the instructions for creating certificates from mosquitto-tls-7. Somehow I cannot connect with the client:

mosquitto_sub -h example.org -t "#" -d --cafile /etc/mosquitto/ca_certificates/ca.crt
Client mosqsub/21114-raspberry sending CONNECT
OpenSSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Following errors show in mosquitto.log:

1391023277: New connection from xxx.xxx.xxx.xxx on port 1883.
1391023277: OpenSSL Error: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
1391023277: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure

The ca.crt is created via
openssl req -new -x509 -days <duration> -extensions v3_ca -keyout ca.key -out ca.crt

In the ca.crt it says:
openssl x509 -text -in ca.crt
Certificate:
    Data:
        Version: 3 (0x2)
...

The server.crt is created via
openssl genrsa -des3 -out server.key 2048
openssl genrsa -out server.key 2048
openssl req -out server.csr -key server.key -new
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days <duration>

and in the server.crt:
openssl x509 -text -in server.crt
Certificate:
    Data:
        Version: 1 (0x0)
...

The SSL version of the protocolls do not match. But I think they should. Is it a bug in the man?
mosquitto version 1.2.3 (build date 2014-01-06 11:53:51+0000)
OpenSSL 1.0.1e 11 Feb 2013

Let me know if there is something I can provide.

Greetings,
dabozz

Question information

Language:
English Edit question
Status:
Answered
For:
mosquitto Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:

This question was originally filed as bug #1274272.

Revision history for this message
dabozz (dabozz7) said : 		#1

I think its not a bug anymore, can someone else please help?

Revision history for this message
dabozz (dabozz7) said : 		#2

Hi,
I have
mosquitto_sub version 1.2.3 running on libmosquitto 1.2.3.

my mosquitto.conf is:

# Place your local configuration in /etc/mosquitto/conf.d/
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d

conf.d/mosquitto.conf:

require_certificate false
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
tls_version tlsv1

The certificates are generated by the man mosquitto-tls-7.
While generating the certificates for the client I changed the CN and Organisational Unit like you described here:
https://<email address hidden>/msg00076.html

mosquitto_sub -h ip-adress -t "#" -d --cafile /etc/mosquitto/ca_certificates/ca.crt --key /etc/mosquitto/client/client.key --cert /etc/mosquitto/client/client.crt --tls-version tlsv1
Enter PEM pass phrase:
Client mosqsub/32020-raspberry sending CONNECT
OpenSSL Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Error: Protocol error

mosquitto_pub -h ip-adress -t "test" -m hello --cafile /etc/mosquitto/ca_certificates/ca.crt --tls-version tlsv1 --key /etc/mosquitto/client/client.key --cert /etc/mosquitto/client/client.crt -d
Enter PEM pass phrase:
Client mosqpub/32030-raspberry sending CONNECT
OpenSSL Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Error: Protocol error

/var/log/mosquitto/mosquitto.log:

1391196703: mosquitto version 1.2.3 (build date 2014-01-06 11:53:51+0000) starting
1391196703: Config loaded from /etc/mosquitto/mosquitto.conf.
1391196703: Opening ipv4 listen socket on port 1883.
1391196703: Opening ipv6 listen socket on port 1883.
1391196703: Warning: Address family not supported by protocol
1391196705: New connection from 95.117.127.121 on port 1883.
1391196707: OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
1391196707: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1391196707: Socket read error on client (null), disconnecting.
1391196712: New connection from 95.117.127.121 on port 1883.
1391196714: OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
1391196714: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1391196714: Socket read error on client (null), disconnecting.
1391196728: mosquitto version 1.2.3 terminating
1391196728: Saving in-memory database to /var/lib/mosquitto/mosquitto.db.

That means I sorted out the 'tlsv1 alert protocol version' issue. but now I got a new one, can someone give me hints, please?

dabozz

Revision history for this message
Roger Light (roger.light) said : 		#3

It's good to hear you've sorted the protocol version problem.

It sounds like the certificate hostname verification is failing. The remote hostname of the broker you use to connect to should match the CN *or* a subjectAltName of the certificate. If your CN is example.com and you connect to 192.168.0.1, then the verification will fail.

I would recommend using the subjectAltName feature of certificates - you can add a list of hostnames and/or IP addresses that will be valid for the certificate. The MQTTitude project has a script which demonstrates how you can generate certificates with subjectAltName: https://github.com/binarybucks/mqttitude/blob/master/tools/TLS/generate-CA.sh

Can you help with this problem?

Provide an answer of your own, or ask dabozz for more information if necessary.

To post a message you must log in.