Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] odd TLS errors [SOLVED]

Greg Troxel <gdt@xxxxxxxxxx> writes:

> I am seeing strange SSL errors on connections from a nodemcu sensor:
>   1620579609: OpenSSL Error[0]: error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error

What was going on was:

  I had a letsencrypt renewal, and now they are providing two chain
  certificates.  One is from Identrust to the letsencrypt root, and the
  next from the letsencrypt root to the letsencrypt R3, which signs the
  end entity cert.  That way if you trust the letsencrypt root, as
  up-to-date systems do, you can validate from that, and if you don't
  and the identrust one isn't expired yet, you can validate from that.

  The combination of 3 certs was kind of big, about 5.5K in the pem

  nodemcu's TLS implementation is documented to only work if the server
  response fits in a 4K buffer.

  [I changed the chain to be just the identrust to R3, as was in the
  previous cert 9 weeks ago.  I will try just letsencrypt next.]

  Now my nodemcu device works.  Obviously it was crashing and
  restarting, and OpenSSL was getting EOF from the reset on next boot
  and failing on that.  The only maybe bug in openssl is printing the
  wrong error; it probably should have been "peer closed connection
  during negotiation".

My advice to check if your IOT devices are still working stands.

Attachment: signature.asc
Description: PGP signature

Back to the top