Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] Unable to get SSL working: "routines:SSL3_GET_RECORD:wrong version number"
 
Hi Roger,
 
that resolved the issue. Both ways work:
 
* using --insecure allows a connection
* connecting from localhost to localhost instead of the public IP address 
 
 
So my way to make it working was changing the gen.sh. Instead of having CN=localhost, I put the FQDN to the CN.
 
Thanks for all your help!
 
Chris
Gesendet: Mittwoch, 17. September 2014 um 00:27 Uhr
Von: "Roger Light" <roger@xxxxxxxxxx>
An: "General development discussions for the mosquitto project" <mosquitto-dev@xxxxxxxxxxx>
Betreff: Re: [mosquitto-dev] Unable to get SSL working: "routines:SSL3_GET_RECORD:wrong version number"
Hi Chris,

I meant this client certificate:

> mosquitto_sub --cafile /home/myuser/CA/all-ca.crt --key
> /home/myuser/CA/client.key --cert /home/myuser/CA/client.crt -h 10.0.134.44
> -p 8883 -t 'tbbtb' --tls-version tlsv1.2 -d

Another possible problem is that you're connecting to 10.0.134.44 but
(unless you've modified it) the server certificate is only valid for
"localhost". You could get around that by passing --insecure to
mosquitto_sub.

Cheers,

Roger


On Tue, Sep 16, 2014 at 12:10 PM, <leduke4223@xxxxxxx> wrote:
> Hi Roger,
>
> at the moment I'm at a make it run phase, pure testing.
>
> I have not set any additional certificates apart from all-ca.crt and
> server.crt Do I need any additional settings?
> Is there somewhere a step by step tutorial how to set up mosquitto for
> SSL/TLS?
>
>
> Cheers,
>
> Chris
>
>
> Gesendet: Dienstag, 16. September 2014 um 12:54 Uhr
> Von: "Roger Light" <roger@xxxxxxxxxx>
> An: "General development discussions for the mosquitto project"
> <mosquitto-dev@xxxxxxxxxxx>
> Betreff: Re: [mosquitto-dev] Unable to get SSL working:
> "routines:SSL3_GET_RECORD:wrong version number"
> Hi Chris,
>
>> mosquitto_sub --cafile /home/myuser/CA/all-ca.crt --key
>> /home/myuser/CA/client.key --cert /home/myuser/CA/client.crt -h
>> 10.0.134.44
>> -p 8883 -t 'tbbtb' --tls-version tlsv1.2 -d
>> Unable to connect (8).
>>
>>
>> Broker side:
>>
>> 1410848100: New connection from 10.0.1.44 on port 8883.
>> 1410848100: OpenSSL Error: error:14094416:SSL
>> routines:SSL3_READ_BYTES:sslv3
>> alert certificate unknown
>> 1410848100: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl
>> handshake failure
>> 1410848100: Socket error on client (null), disconnecting.
>
> It looks like the client certificate you are providing isn't
> recognised as valid by the broker. Are you sure you have all of the CA
> certificates set correctly on the broker as well? You've set
> "require_certificate false" but are still sending a client certificate
> - is this what you intend?
>
> I presume you're just using it for testing, but if not I should point
> out that the files generated by test/ssl/gen.sh are only intended for
> the post-compilation tests. They are weak key length and certainly
> don't match your details :)
>
> Cheers,
>
> Roger
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/mosquitto-dev
>
>
>
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/mosquitto-dev
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

Back to the top