mosquitto

Activemq MQTT Broker and Mosquitto C++ Client SSL

Asked by emin inal

Hi;

I have a problem about SSL communication between activeMQ mqtt broker and mosquitto c++ client.

Firstly I think there are two different concepts here;

ActiveMQ site needs keystore files (keystore and truststores)..
But mosquitto client site need CA and client keys and certs.

How do we integrate two different concepts guys ?

is it a true way just importing the
ca.crt to -> broker.ks (broker keystore)
client.crt to ->broker.ts (broker trustore)

files that are used by activeMQ.

But that way im getting below error from ActiveMQ broker
014-05-26 10:18:53,206 | ERROR | Could not accept connection from null: java.io.IOException: javax.net.ssl.SSLHandshakeException: no cipher suites in common | org.apache.activemq.broker.TransportConnector | ActiveMQ BrokerService[localhost] Task-1

also getting this error from
mosquitto_pub

./mosquitto_pub -h localhost -p 8883 -t "04958b41-fc70-4ea8-a388-7c5a1162bbd5" -m "msg" --cafile /home/emin/CERTS/mosquitto/ca_certificates/ca.crt --capath /home/emin/CERTS/mosquitto/ca_certificates/ --cert /home/emin/CERTS/mosquitto/certs/client.crt --key /home/emin/CERTS/mosquitto/certs/client.key -d
Enter PEM pass phrase:
Client mosqpub/851-emin sending CONNECT
OpenSSL Error: error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
Error: Protocol error

is there any suggestions on that?

Thanks
My best regards.

Question information

Language:
English Edit question
Status:
Answered
For:
mosquitto Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Roger Light (roger.light) said : 		#1

Sounds like ActiveMQ doesn't support TLSv1.2, which is the default for mosquitto 1.3.

Try setting your mosquitto listener to use

tls_version tlsv1

Revision history for this message
emin inal (emininal) said : 		#2

Hi @Roger

Actually I'm doing test with mosquitto_sub/pub to activemq 5.9.1 Mqtt Broker.

here is my command i disabled first client site auth.
--------------------
./mosquitto_sub -h localhost -p 8883 -t "SERVICE_TOPIC" --cafile /etc/mosquitto/ca_certificates/ca.crt --capath /etc/mosquitto/ca_certificates/ -d --tls-version tlsv1.1
Client mosqsub/31996-emin sending CONNECT
--------------------------

As you see client sendding connect but activemq site does not respond to it. and after a while it think this time is default timeout, I get the error from activemq site shown below
------------
2014-05-29 09:39:02,934 | ERROR | Could not accept connection from null: java.io.IOException: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? | org.apache.activemq.broker.TransportConnector | ActiveMQ BrokerService[localhost] Task-1014
------------

By the way i have configured broker site keystore with its password using my ca.crt.

Is there any low level debug mode in mosquitto client site that i can trace all handshake ?

My Best Regards
Emin.

Revision history for this message
Roger Light (roger.light) said : 		#3

The lowest level is MQTT protocol I'm afraid.
 On May 29, 2014 7:47 AM, "emin inal" <email address hidden>
wrote:

> Question #249281 on mosquitto changed:
> https://answers.launchpad.net/mosquitto/+question/249281
>
> emin inal posted a new comment:
> Hi @Roger
>
> Actually I'm doing test with mosquitto_sub/pub to activemq 5.9.1 Mqtt
> Broker.
>
> here is my command i disabled first client site auth.
> --------------------
> ./mosquitto_sub -h localhost -p 8883 -t "SERVICE_TOPIC" --cafile
> /etc/mosquitto/ca_certificates/ca.crt --capath
> /etc/mosquitto/ca_certificates/ -d --tls-version tlsv1.1
> Client mosqsub/31996-emin sending CONNECT
> --------------------------
>
> As you see client sendding connect but activemq site does not respond to
> it. and after a while it think this time is default timeout, I get the
> error from activemq site shown below
> ------------
> 2014-05-29 09:39:02,934 | ERROR | Could not accept connection from null:
> java.io.IOException: javax.net.ssl.SSLException: Inbound closed before
> receiving peer's close_notify: possible truncation attack? |
> org.apache.activemq.broker.TransportConnector | ActiveMQ
> BrokerService[localhost] Task-1014
> ------------
>
> By the way i have configured broker site keystore with its password
> using my ca.crt.
>
> Is there any low level debug mode in mosquitto client site that i can
> trace all handshake ?
>
> My Best Regards
> Emin.
>
> --
> You received this question notification because you are a member of
> Mosquitto PPA, which is an answer contact for mosquitto.
>

Can you help with this problem?

Provide an answer of your own, or ask emin inal for more information if necessary.

To post a message you must log in.