[openssl-users] oppenssl error when connecting to a mosquitto broker with tls security
Sophie Jacquin
sj at gleebees.com
Wed Jan 18 15:43:53 UTC 2017
Hello,
We try to use mosquitto mqtt messages with tls security protocol.
To do so, we follow the following tutorial:
https://primalcortex.wordpress.com/2016/03/31/mqtt-mosquitto-broker-with-ssltls-transport-security/
to generate the authority certificate file and the server certificate we use this script https://github.com/owntracks/tools/blob/master/TLS/generate-CA.sh
This tutorial seems complete and well done as we successfully connect several machines by following this method. Nevertheless when trying to configure the broker on our server we encounter several problems.
In the server the mosquitto.conf content is :
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
listener 8884
cafile /etc/mosquitto/certs3/ca.crt
certfile /etc/mosquitto/certs3/server.crt
keyfile /etc/mosquitto/certs3/server.key
Mosquitto version is 1.4.10 and Openssl version is 1.0.2j
When trying to subcribe or publish on port 8884 locally (ie from a client also on the server), no problem, the connection success.
But when we try to connect from an other machine we get different error if we use command line or
mosqutto C library
- With command line
mosquitto_pub -h xxx.xxx.com -t test -m "hello word" --cafile /etc/mosquitto/certs/ca.crt -p 8884
On server log file
1484748728: OpenSSL Error: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
And ssldump gives the following exit:
0.0384 (0.0384) C>S Handshake
ClientHello
Version 3.3
cipher suites
Unknown value 0xc030
Unknown value 0xc02c
Unknown value 0xc028
Unknown value 0xc024
Unknown value 0xc014
Unknown value 0xc00a
Unknown value 0xa3
Unknown value 0x9f
Unknown value 0x6b
Unknown value 0x6a
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Unknown value 0x88
Unknown value 0x87
Unknown value 0xc032
Unknown value 0xc02e
Unknown value 0xc02a
Unknown value 0xc026
Unknown value 0xc00f
Unknown value 0xc005
Unknown value 0x9d
Unknown value 0x3d
TLS_RSA_WITH_AES_256_CBC_SHA
Unknown value 0x84
Unknown value 0xc02f
Unknown value 0xc02b
Unknown value 0xc027
Unknown value 0xc023
Unknown value 0xc013
Unknown value 0xc009
Unknown value 0xa2
Unknown value 0x9e
TLS_DHE_DSS_WITH_NULL_SHA
Unknown value 0x40
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Unknown value 0x9a
Unknown value 0x99
Unknown value 0x45
Unknown value 0x44
Unknown value 0xc031
Unknown value 0xc02d
Unknown value 0xc029
Unknown value 0xc025
Unknown value 0xc00e
Unknown value 0xc004
Unknown value 0x9c
Unknown value 0x3c
TLS_RSA_WITH_AES_128_CBC_SHA
Unknown value 0x96
Unknown value 0x41
Unknown value 0xc011
Unknown value 0xc007
Unknown value 0xc00c
Unknown value 0xc002
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xc012
Unknown value 0xc008
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc00d
Unknown value 0xc003
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xff
compression methods
NULL
1 2 0.0415 (0.0030) S>C Handshake
ServerHello
Version 3.3
session_id[0]=
cipherSuite Unknown value 0xc030
compressionMethod NULL
1 3 0.0415 (0.0000) S>C Handshake
Certificate
1 4 0.0415 (0.0000) S>C Handshake
ServerKeyExchange
1 5 0.0415 (0.0000) S>C Handshake
ServerHelloDone
1 6 0.0783 (0.0368) C>S Alert
level fatal
value certificate_unknown
1 0.0785 (0.0002) S>C TCP FIN
We try and get the same result with machine on which openssl 1.0.2j is installed with mosquitto 1.4.10 than on a machine on which oppenssl 1.0.1t is installed with mosquitto version 1.3.4.
when using the insecure option, it is working well
mosquitto_pub -h xx.xxx.com -t test -m "hello word" --cafile /etc/mosquitto/certs/ca.crt -p 8884 –insecure
but it is not our goal.
-When using C mosquitto library :
openssl-1.1.0c
mosquitto 1.4.10
c-code implementation:
err = mosquitto_tls_set(poMosq,
"/etc/mosquitto/certs/ca.crt",
"/etc/mosquitto/certs/",
NULL,
NULL,
NULL
);
1484747462: OpenSSL Error: error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error
C>S Handshake
ClientHello
Version 3.3
cipher suites
Unknown value 0xc030
Unknown value 0xc02c
Unknown value 0xc028
Unknown value 0xc024
Unknown value 0xc014
Unknown value 0xc00a
Unknown value 0xa5
Unknown value 0xa3
Unknown value 0xa1
Unknown value 0x9f
Unknown value 0x6b
Unknown value 0x6a
Unknown value 0x69
Unknown value 0x68
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DH_RSA_WITH_AES_256_CBC_SHA
TLS_DH_DSS_WITH_AES_256_CBC_SHA
Unknown value 0x88
Unknown value 0x87
Unknown value 0x86
Unknown value 0x85
Unknown value 0xc032
Unknown value 0xc02e
Unknown value 0xc02a
Unknown value 0xc026
Unknown value 0xc00f
Unknown value 0xc005
Unknown value 0x9d
Unknown value 0x3d
TLS_RSA_WITH_AES_256_CBC_SHA
Unknown value 0x84
Unknown value 0xc02f
Unknown value 0xc02b
Unknown value 0xc027
Unknown value 0xc023
Unknown value 0xc013
Unknown value 0xc009
Unknown value 0xa4
Unknown value 0xa2
Unknown value 0xa0
Unknown value 0x9e
TLS_DHE_DSS_WITH_NULL_SHA
Unknown value 0x40
Unknown value 0x3f
Unknown value 0x3e
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DH_RSA_WITH_AES_128_CBC_SHA
TLS_DH_DSS_WITH_AES_128_CBC_SHA
Unknown value 0x9a
Unknown value 0x99
Unknown value 0x98
Unknown value 0x97
Unknown value 0x45
Unknown value 0x44
Unknown value 0x43
Unknown value 0x42
Unknown value 0xc031
Unknown value 0xc02d
Unknown value 0xc029
Unknown value 0xc025
Unknown value 0xc00e
Unknown value 0xc004
Unknown value 0x9c
Unknown value 0x3c
TLS_RSA_WITH_AES_128_CBC_SHA
Unknown value 0x96
Unknown value 0x41
TLS_RSA_WITH_IDEA_CBC_SHA
Unknown value 0xc011
Unknown value 0xc007
Unknown value 0xc00c
Unknown value 0xc002
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xc012
Unknown value 0xc008
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc00d
Unknown value 0xc003
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xff
compression methods
NULL
1 2 0.0426 (0.0032) S>C Handshake
ServerHello
Version 3.3
session_id[0]=
cipherSuite Unknown value 0xc030t
compressionMethod NULL
1 3 0.0426 (0.0000) S>C Handshake
Certificate
1 4 0.0426 (0.0000) S>C Handshake
ServerKeyExchange
1 5 0.0426 (0.0000) S>C Handshake
ServerHelloDone
1 6 0.0770 (0.0344) C>S Alert
level fatal
We check if the common name on the certificate server is good and it corresponds to the hostname used to connect the server, so the problem does not seems to come from here.
We will be very grateful if you could give us some ideas about how to debug this problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170118/2fc733ba/attachment-0001.html>
More information about the openssl-users
mailing list