[mosquitto-dev] Error when using MQTT Mosquitto broker with SSL/TLS tran

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[mosquitto-dev] Error when using MQTT Mosquitto broker with SSL/TLS transport security and non-local client

From: Sophie Jacquin <sj@xxxxxxxxxxxx>
Date: Wed, 18 Jan 2017 16:10:30 +0100
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/mosquitto-dev>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>

Title: using mosquitto with tl

We try to use mosquitto mqtt messages with tls security protocol.

To do so, we follow the following tutorial:

https://primalcortex.wordpress.com/2016/03/31/mqtt-mosquitto-broker-with-ssltls-transport-security/

to generate the authority certificate file and the server certificate we use this script https://github.com/owntracks/tools/blob/master/TLS/generate-CA.sh

This tutorial seems complete and well done as we successfully connect several machines by following this method. Nevertheless when trying to configure the broker on our server we encounter several problems.

In the server the mosquitto.conf content is :

# A full description of the configuration file is at

# /usr/share/doc/mosquitto/examples/mosquitto.conf.example

pid_file /var/run/mosquitto.pid

persistence true

persistence_location /var/lib/mosquitto/

log_dest file /var/log/mosquitto/mosquitto.log

listener 8884

cafile /etc/mosquitto/certs3/ca.crt

certfile /etc/mosquitto/certs3/server.crt

keyfile /etc/mosquitto/certs3/server.key

Mosquitto version is 1.4.10 and Openssl version is 1.0.2j

When trying to subcribe or publish on port 8884 locally (ie from a client also on the server), no problem, the connection success.

But when we try to connect from an other machine we get different error if we use command line or

mosqutto C library

- With command line

mosquitto_pub -h xxx.xxx.com -t test -m "hello word" --cafile /etc/mosquitto/certs/ca.crt -p 8884

On server log file

1484748728: OpenSSL Error: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown

And ssldump gives the following exit:

0.0384 (0.0384) C>S Handshake

ClientHello

Version 3.3

cipher suites

Unknown value 0xc030

Unknown value 0xc02c

Unknown value 0xc028

Unknown value 0xc024

Unknown value 0xc014

Unknown value 0xc00a

Unknown value 0xa3

Unknown value 0x9f

Unknown value 0x6b

Unknown value 0x6a

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Unknown value 0x88

Unknown value 0x87

Unknown value 0xc032

Unknown value 0xc02e

Unknown value 0xc02a

Unknown value 0xc026

Unknown value 0xc00f

Unknown value 0xc005

Unknown value 0x9d

Unknown value 0x3d

TLS_RSA_WITH_AES_256_CBC_SHA

Unknown value 0x84

Unknown value 0xc02f

Unknown value 0xc02b

Unknown value 0xc027

Unknown value 0xc023

Unknown value 0xc013

Unknown value 0xc009

Unknown value 0xa2

Unknown value 0x9e

TLS_DHE_DSS_WITH_NULL_SHA

Unknown value 0x40

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

Unknown value 0x9a

Unknown value 0x99

Unknown value 0x45

Unknown value 0x44

Unknown value 0xc031

Unknown value 0xc02d

Unknown value 0xc029

Unknown value 0xc025

Unknown value 0xc00e

Unknown value 0xc004

Unknown value 0x9c

Unknown value 0x3c

TLS_RSA_WITH_AES_128_CBC_SHA

Unknown value 0x96

Unknown value 0x41

Unknown value 0xc011

Unknown value 0xc007

Unknown value 0xc00c

Unknown value 0xc002

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_RC4_128_MD5

Unknown value 0xc012

Unknown value 0xc008

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

Unknown value 0xc00d

Unknown value 0xc003

TLS_RSA_WITH_3DES_EDE_CBC_SHA

Unknown value 0xff

compression methods

NULL

1 2 0.0415 (0.0030) S>C Handshake

ServerHello

Version 3.3

session_id[0]=

cipherSuite Unknown value 0xc030

compressionMethod NULL

1 3 0.0415 (0.0000) S>C Handshake

Certificate

1 4 0.0415 (0.0000) S>C Handshake

ServerKeyExchange

1 5 0.0415 (0.0000) S>C Handshake

ServerHelloDone

1 6 0.0783 (0.0368) C>S Alert

level fatal

value certificate_unknown

1 0.0785 (0.0002) S>C TCP FIN

We try and get the same result with machine on which openssl 1.0.2j is installed with mosquitto 1.4.10 than on a machine on which oppenssl 1.0.1t is installed with mosquitto version 1.3.4.

when using the insecure option, it is working well

mosquitto_pub -h xx.xxx.com -t test -m "hello word" --cafile /etc/mosquitto/certs/ca.crt -p 8884 –insecure

but it is not our goal.

-When using C mosquitto library :

openssl-1.1.0c

mosquitto 1.4.10

c-code implementation:

err = mosquitto_tls_set(poMosq,

"/etc/mosquitto/certs/ca.crt",

"/etc/mosquitto/certs/",

NULL,

NULL

);

1484747462: OpenSSL Error: error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error

C>S Handshake

ClientHello

Version 3.3

cipher suites

Unknown value 0xc030

Unknown value 0xc02c

Unknown value 0xc028

Unknown value 0xc024

Unknown value 0xc014

Unknown value 0xc00a

Unknown value 0xa5

Unknown value 0xa3

Unknown value 0xa1

Unknown value 0x9f

Unknown value 0x6b

Unknown value 0x6a

Unknown value 0x69

Unknown value 0x68

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

TLS_DH_RSA_WITH_AES_256_CBC_SHA

TLS_DH_DSS_WITH_AES_256_CBC_SHA

Unknown value 0x88

Unknown value 0x87

Unknown value 0x86

Unknown value 0x85

Unknown value 0xc032

Unknown value 0xc02e

Unknown value 0xc02a

Unknown value 0xc026

Unknown value 0xc00f

Unknown value 0xc005

Unknown value 0x9d

Unknown value 0x3d

TLS_RSA_WITH_AES_256_CBC_SHA

Unknown value 0x84

Unknown value 0xc02f

Unknown value 0xc02b

Unknown value 0xc027

Unknown value 0xc023

Unknown value 0xc013

Unknown value 0xc009

Unknown value 0xa4

Unknown value 0xa2

Unknown value 0xa0

Unknown value 0x9e

TLS_DHE_DSS_WITH_NULL_SHA

Unknown value 0x40

Unknown value 0x3f

Unknown value 0x3e

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS_DH_RSA_WITH_AES_128_CBC_SHA

TLS_DH_DSS_WITH_AES_128_CBC_SHA

Unknown value 0x9a

Unknown value 0x99

Unknown value 0x98

Unknown value 0x97

Unknown value 0x45

Unknown value 0x44

Unknown value 0x43

Unknown value 0x42

Unknown value 0xc031

Unknown value 0xc02d

Unknown value 0xc029

Unknown value 0xc025

Unknown value 0xc00e

Unknown value 0xc004

Unknown value 0x9c

Unknown value 0x3c

TLS_RSA_WITH_AES_128_CBC_SHA

Unknown value 0x96

Unknown value 0x41

TLS_RSA_WITH_IDEA_CBC_SHA

Unknown value 0xc011

Unknown value 0xc007

Unknown value 0xc00c

Unknown value 0xc002

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_RC4_128_MD5

Unknown value 0xc012

Unknown value 0xc008

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA

Unknown value 0xc00d

Unknown value 0xc003

TLS_RSA_WITH_3DES_EDE_CBC_SHA

Unknown value 0xff

compression methods

NULL

1 2 0.0426 (0.0032) S>C Handshake

ServerHello

Version 3.3

session_id[0]=

cipherSuite Unknown value 0xc030t

compressionMethod NULL

1 3 0.0426 (0.0000) S>C Handshake

Certificate

1 4 0.0426 (0.0000) S>C Handshake

ServerKeyExchange

1 5 0.0426 (0.0000) S>C Handshake

ServerHelloDone

1 6 0.0770 (0.0344) C>S Alert

level fatal

We check if the common name on the certificate server is good and it corresponds to the hostname used to connect the server, so the problem does not seems to come from here.

Prev by Date: [mosquitto-dev] Event libs
Next by Date: [mosquitto-dev] Reg. raising security issues
Previous by thread: [mosquitto-dev] Event libs
Next by thread: [mosquitto-dev] Reg. raising security issues
Index(es):
- Date
- Thread

Breadcrumbs