[openssl-users] oppenssl error when connecting to a mosquitto broker with tls security

Sophie Jacquin sj at gleebees.com
Wed Jan 18 15:43:53 UTC 2017


Hello,

We try to use mosquitto mqtt messages with tls security protocol.

To do so, we follow the following tutorial:

https://primalcortex.wordpress.com/2016/03/31/mqtt-mosquitto-broker-with-ssltls-transport-security/


 

to generate the authority certificate file and the server certificate we use this script https://github.com/owntracks/tools/blob/master/TLS/generate-CA.sh

This tutorial seems complete and well done as we successfully connect several machines by following this method. Nevertheless when trying to configure the broker on our server we encounter several problems.

In the server the mosquitto.conf content is :


 

# A full description of the configuration file is at

# /usr/share/doc/mosquitto/examples/mosquitto.conf.example

pid_file /var/run/mosquitto.pid
 

persistence true

persistence_location /var/lib/mosquitto/
 

log_dest file /var/log/mosquitto/mosquitto.log
 

listener 8884

cafile /etc/mosquitto/certs3/ca.crt

certfile /etc/mosquitto/certs3/server.crt

keyfile /etc/mosquitto/certs3/server.key


 

Mosquitto version is 1.4.10 and Openssl version is 1.0.2j

When trying to subcribe or publish on port 8884 locally (ie from a client also on the server), no problem, the connection success.

But when we try to connect from an other machine we get different error if we use command line or

mosqutto C library

- With command line

mosquitto_pub -h xxx.xxx.com -t test -m "hello word" --cafile /etc/mosquitto/certs/ca.crt -p 8884

On server log file


 

1484748728: OpenSSL Error: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown

And ssldump gives the following exit:


 

0.0384 (0.0384) C>S Handshake

 ClientHello

 Version 3.3 

 cipher suites

 Unknown value 0xc030

 Unknown value 0xc02c

 Unknown value 0xc028

 Unknown value 0xc024

 Unknown value 0xc014

 Unknown value 0xc00a

 Unknown value 0xa3

 Unknown value 0x9f

 Unknown value 0x6b

 Unknown value 0x6a

 TLS_DHE_RSA_WITH_AES_256_CBC_SHA

 TLS_DHE_DSS_WITH_AES_256_CBC_SHA

 Unknown value 0x88

 Unknown value 0x87

 Unknown value 0xc032

 Unknown value 0xc02e

 Unknown value 0xc02a

 Unknown value 0xc026

 Unknown value 0xc00f

 Unknown value 0xc005

 Unknown value 0x9d

 Unknown value 0x3d

 TLS_RSA_WITH_AES_256_CBC_SHA

 Unknown value 0x84

 Unknown value 0xc02f

 Unknown value 0xc02b

 Unknown value 0xc027

 Unknown value 0xc023

 Unknown value 0xc013

 Unknown value 0xc009

 Unknown value 0xa2

 Unknown value 0x9e

 TLS_DHE_DSS_WITH_NULL_SHA

 Unknown value 0x40

 TLS_DHE_RSA_WITH_AES_128_CBC_SHA

 TLS_DHE_DSS_WITH_AES_128_CBC_SHA

 Unknown value 0x9a

 Unknown value 0x99

 Unknown value 0x45

 Unknown value 0x44

 Unknown value 0xc031

 Unknown value 0xc02d

 Unknown value 0xc029

 Unknown value 0xc025

 Unknown value 0xc00e

 Unknown value 0xc004

 Unknown value 0x9c

 Unknown value 0x3c

 TLS_RSA_WITH_AES_128_CBC_SHA

 Unknown value 0x96

 Unknown value 0x41

 Unknown value 0xc011

 Unknown value 0xc007

 Unknown value 0xc00c

 Unknown value 0xc002

 TLS_RSA_WITH_RC4_128_SHA

 TLS_RSA_WITH_RC4_128_MD5

 Unknown value 0xc012

 Unknown value 0xc008

 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

 Unknown value 0xc00d

 Unknown value 0xc003

 TLS_RSA_WITH_3DES_EDE_CBC_SHA

 Unknown value 0xff

 compression methods

 NULL

1 2 0.0415 (0.0030) S>C Handshake

 ServerHello

 Version 3.3 

 session_id[0]=


 

 cipherSuite Unknown value 0xc030

 compressionMethod NULL

1 3 0.0415 (0.0000) S>C Handshake

 Certificate

1 4 0.0415 (0.0000) S>C Handshake

 ServerKeyExchange

1 5 0.0415 (0.0000) S>C Handshake

 ServerHelloDone

1 6 0.0783 (0.0368) C>S Alert

 level fatal

 value certificate_unknown

1 0.0785 (0.0002) S>C TCP FIN

We try and get the same result with machine on which openssl 1.0.2j is installed with mosquitto 1.4.10 than on a machine on which oppenssl 1.0.1t is installed with mosquitto version 1.3.4.

when using the insecure option, it is working well

mosquitto_pub -h xx.xxx.com -t test -m "hello word" --cafile /etc/mosquitto/certs/ca.crt -p 8884 –insecure

but it is not our goal.

-When using C mosquitto library :

openssl-1.1.0c

mosquitto 1.4.10

c-code implementation:

 
    err = mosquitto_tls_set(poMosq,

      "/etc/mosquitto/certs/ca.crt",

      "/etc/mosquitto/certs/", 

      NULL,

      NULL,

      NULL

    );


 


 


 

1484747462: OpenSSL Error: error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error


 


 


 

 C>S Handshake

 ClientHello

 Version 3.3 

 cipher suites

 Unknown value 0xc030

 Unknown value 0xc02c

 Unknown value 0xc028

 Unknown value 0xc024

 Unknown value 0xc014

 Unknown value 0xc00a

 Unknown value 0xa5

 Unknown value 0xa3

 Unknown value 0xa1

 Unknown value 0x9f

 Unknown value 0x6b

 Unknown value 0x6a

 Unknown value 0x69

 Unknown value 0x68

 TLS_DHE_RSA_WITH_AES_256_CBC_SHA

 TLS_DHE_DSS_WITH_AES_256_CBC_SHA

 TLS_DH_RSA_WITH_AES_256_CBC_SHA

 TLS_DH_DSS_WITH_AES_256_CBC_SHA

 Unknown value 0x88

 Unknown value 0x87

 Unknown value 0x86

 Unknown value 0x85

 Unknown value 0xc032

 Unknown value 0xc02e

 Unknown value 0xc02a

 Unknown value 0xc026

 Unknown value 0xc00f

 Unknown value 0xc005

 Unknown value 0x9d

 Unknown value 0x3d

 TLS_RSA_WITH_AES_256_CBC_SHA

 Unknown value 0x84

 Unknown value 0xc02f

 Unknown value 0xc02b

 Unknown value 0xc027

 Unknown value 0xc023

 Unknown value 0xc013

 Unknown value 0xc009

 Unknown value 0xa4

 Unknown value 0xa2

 Unknown value 0xa0

 Unknown value 0x9e

 TLS_DHE_DSS_WITH_NULL_SHA

 Unknown value 0x40

 Unknown value 0x3f

 Unknown value 0x3e

 TLS_DHE_RSA_WITH_AES_128_CBC_SHA

 TLS_DHE_DSS_WITH_AES_128_CBC_SHA

 TLS_DH_RSA_WITH_AES_128_CBC_SHA

 TLS_DH_DSS_WITH_AES_128_CBC_SHA

 Unknown value 0x9a

 Unknown value 0x99

 Unknown value 0x98

 Unknown value 0x97

 Unknown value 0x45

 Unknown value 0x44

 Unknown value 0x43

 Unknown value 0x42

 Unknown value 0xc031

 Unknown value 0xc02d

 Unknown value 0xc029

 Unknown value 0xc025

 Unknown value 0xc00e

 Unknown value 0xc004

 Unknown value 0x9c

 Unknown value 0x3c

 TLS_RSA_WITH_AES_128_CBC_SHA

 Unknown value 0x96

 Unknown value 0x41

 TLS_RSA_WITH_IDEA_CBC_SHA

 Unknown value 0xc011

 Unknown value 0xc007

 Unknown value 0xc00c

 Unknown value 0xc002

 TLS_RSA_WITH_RC4_128_SHA

 TLS_RSA_WITH_RC4_128_MD5

 Unknown value 0xc012

 Unknown value 0xc008

 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

 TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA

 TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA

 Unknown value 0xc00d

 Unknown value 0xc003

 TLS_RSA_WITH_3DES_EDE_CBC_SHA

 Unknown value 0xff

 compression methods

 NULL

1 2 0.0426 (0.0032) S>C Handshake

 ServerHello

 Version 3.3 

 session_id[0]=



 cipherSuite Unknown value 0xc030t

 compressionMethod NULL

1 3 0.0426 (0.0000) S>C Handshake

 Certificate

1 4 0.0426 (0.0000) S>C Handshake

 ServerKeyExchange

1 5 0.0426 (0.0000) S>C Handshake

 ServerHelloDone

1 6 0.0770 (0.0344) C>S Alert

 level fatal





We check if the common name on the certificate server is good and it corresponds to the hostname used to connect the server, so the problem does not seems to come from here.



We will be very grateful if you could give us some ideas about how to debug this problem.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170118/2fc733ba/attachment-0001.html>


More information about the openssl-users mailing list