[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [mosquitto-dev] odd TLS errors [SOLVED]
|
Greg Troxel <gdt@xxxxxxxxxx> writes:
> I am seeing strange SSL errors on connections from a nodemcu sensor:
>
> 1620579609: OpenSSL Error[0]: error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error
What was going on was:
I had a letsencrypt renewal, and now they are providing two chain
certificates. One is from Identrust to the letsencrypt root, and the
next from the letsencrypt root to the letsencrypt R3, which signs the
end entity cert. That way if you trust the letsencrypt root, as
up-to-date systems do, you can validate from that, and if you don't
and the identrust one isn't expired yet, you can validate from that.
The combination of 3 certs was kind of big, about 5.5K in the pem
file.
nodemcu's TLS implementation is documented to only work if the server
response fits in a 4K buffer.
[I changed the chain to be just the identrust to R3, as was in the
previous cert 9 weeks ago. I will try just letsencrypt next.]
Now my nodemcu device works. Obviously it was crashing and
restarting, and OpenSSL was getting EOF from the reset on next boot
and failing on that. The only maybe bug in openssl is printing the
wrong error; it probably should have been "peer closed connection
during negotiation".
My advice to check if your IOT devices are still working stands.
Attachment:
signature.asc
Description: PGP signature