Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] TLS handshake failure when connecting to Mosquitto 
Hi Jeff,

As long as both sides speak tls 1.2 there is no need to specify the tls version.

If using --insecure works, that suggests that the hostname in the
certificate doesn't match the hostname you are connecting to. In other
words, if I had a certificate for example.org then had a client
running on example.org that tried to connect using localhost as the
hostname then it would fail because the hostnames didn't match. That's
the situation most likely for this problem to appear.

Cheers,

Roger


On Wed, Mar 22, 2017 at 9:35 PM, Jeff Armstrong <jeff@xxxxxxxxxxxxxxxxx> wrote:
> Not sure about George, but adding --insecure does resolve the issue
> (although obviously not ideal), but adding --tls-version tlsv1 or any other
> version doesn't resolve it for me.
>
> On Wed, Mar 22, 2017 at 4:42 PM Bradley, Dwayne
> <Dwayne.Bradley@xxxxxxxxxxxxxxx> wrote:
>>
>> George,
>>
>> Have you tried adding the "--tls-version" and "--insecure" options to the
>> mosquitto_sub command?  Something like this:
>>
>> mosquitto_sub -t \$SYS/broker/bytes/\# --cafile ca.crt -p 8883 -v -d -u
>> <username> -P <password> --tls-version tlsv1 --insecure
>>
>> Dwayne
>>
>>
>> -----Original Message-----
>> From: mosquitto-dev-bounces@xxxxxxxxxxx
>> [mailto:mosquitto-dev-bounces@xxxxxxxxxxx] On Behalf Of George Willegers
>> Sent: Wednesday, March 22, 2017 3:23 PM
>> To: mosquitto-dev@xxxxxxxxxxx
>> Subject: [mosquitto-dev] TLS handshake failure when connecting to
>> Mosquitto
>>
>>
>>
>> *** Exercise caution. This is an EXTERNAL email. DO NOT open attachments
>> or click links from unknown senders or unexpected email. ***
>>
>> Hello,
>>
>> I have Mosquitto 1.4.11 running on a Raspberry Pi. The Pi is running
>> Rasbian, kernel version 4.4.50-v7+.
>>
>> I am now trying to setup TLS to create an encrypted connection. I used the
>> script from the OwnTracks instructions (generate-CA.sh).
>>
>> The relevant part of the configuration is:
>>
>>      listener 1883 127.0.0.1
>>      listener 8883
>>      tls_version tlsv1
>>      cafile /etc/mosquitto/ca_certificates/ca.crt
>>      certfile /etc/mosquitto/certs/pi1.crt
>>      keyfile /etc/mosquitto/certs/pi1.key
>>      require_certificate false
>>      allow_anonymous false
>>
>> To test I run (on the Pi):
>>
>>      mosquitto_sub -t \$SYS/broker/bytes/\# -v -d -u <username> -P
>> <password>
>>
>> And the result is:
>>
>>      Client mosqsub/3710-pi1 sending CONNECT
>>      Client mosqsub/3710-pi1 received CONNACK
>>      Client mosqsub/3710-pi1 sending SUBSCRIBE (Mid: 1, Topic:
>> $SYS/broker/bytes/#, QoS: 0)
>>      Client mosqsub/3710-pi1 received SUBACK
>>      Subscribed (mid: 1): 0
>>      Client mosqsub/3710-pi1 received PUBLISH (d0, q0, r1, m0,
>> '$SYS/broker/bytes/received', ... (2 bytes))
>>      $SYS/broker/bytes/received 10
>>      Client mosqsub/3710-pi1 received PUBLISH (d0, q0, r1, m0,
>> '$SYS/broker/bytes/sent', ... (1 bytes))
>>      $SYS/broker/bytes/sent 0
>>      Client mosqsub/3710-pi1 received PUBLISH (d0, q0, r0, m0,
>> '$SYS/broker/bytes/received', ... (2 bytes))
>>      $SYS/broker/bytes/received 87
>>      Client mosqsub/3710-pi1 received PUBLISH (d0, q0, r0, m0,
>> '$SYS/broker/bytes/sent', ... (2 bytes))
>>      $SYS/broker/bytes/sent 68
>>      ^C
>>
>> When I try to use TLS:
>>
>>      mosquitto_sub -t \$SYS/broker/bytes/\# --cafile ca.crt -p 8883 -v -d
>> -u <username> -P <password>
>>
>> The result is:
>>
>>      Unable to connect (A TLS error occurred.).
>>
>> mosquitto.log shows:
>>
>>      1490210296: New connection from 127.0.0.1 on port 8883.
>>      1490210296: OpenSSL Error: error:1409442E:SSL
>> routines:SSL3_READ_BYTES:tlsv1 alert protocol version
>>      1490210296: OpenSSL Error: error:140940E5:SSL
>> routines:SSL3_READ_BYTES:ssl handshake failure
>>      1490210296: Socket error on client <unknown>, disconnecting.
>>
>> Adding -h <hostname> or -h localhost or -h 127.0.0.1 does not change
>> anything.
>>
>> I then recreated the certificate and related files with openssl, using
>> instructions I found here:
>> http://www.steves-internet-guide.com/mosquitto-tls/
>> Unfortunately that did not change the results I get.
>>
>> What is wrong in my setup?
>>
>> Regards,
>> George
>> _______________________________________________
>> mosquitto-dev mailing list
>> mosquitto-dev@xxxxxxxxxxx
>> To change your delivery options, retrieve your password, or unsubscribe
>> from this list, visit https://dev.eclipse.org/mailman/listinfo/mosquitto-dev
>>
>> _______________________________________________
>> mosquitto-dev mailing list
>> mosquitto-dev@xxxxxxxxxxx
>> To change your delivery options, retrieve your password, or unsubscribe
>> from this list, visit
>> https://dev.eclipse.org/mailman/listinfo/mosquitto-dev
>
> --
> Jeff Armstrong
> Software Engineer
> Greenfield Labs
>
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

Back to the top