Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] tls ... how to get it working (Leandro)

Hello Leo,

I'm not going to answer any of your specific questions, but it occurred to me you may be encountering a similar issue to what I had (and which took a while to figure out)... I had a case where certificates I generated were being rejected whereas the supplied "test" certificates worked. The problem: the "device" had the date/time set to a default value that preceded the issue date of the certificates I generated. That apparently renders the certificate "bad" (makes sense). I hadn't seen this mentioned in any of the searches I had done while trying to solve my problem; so, I thought I'd mention it. Once I set the date/time on the device to the correct value, the certificate was deemed "good".

Regards,
Kirk

-----Original Message-----
From: mosquitto-dev-bounces@xxxxxxxxxxx [mailto:mosquitto-dev-bounces@xxxxxxxxxxx] On Behalf Of mosquitto-dev-request@xxxxxxxxxxx
Sent: Thursday, September 07, 2017 12:00 PM
To: mosquitto-dev@xxxxxxxxxxx
Subject: EXT SENDER - mosquitto-dev Digest, Vol 45, Issue 3

Send mosquitto-dev mailing list submissions to
mosquitto-dev@xxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
https://urldefense.proofpoint.com/v2/url?u=https-3A__dev.eclipse.org_mailman_listinfo_mosquitto-2Ddev&d=DwICAg&c=QM_z7khAIdagwHt-12JlKA&r=jUmTNPS2ysEcjc3MR-DVuYwf0nI4svE9aFLLFpN4BPk&m=drS_CZZu9KtwgeJJi70qrqt-tBugcvcZMPT6NXMGsY8&s=gt7q2d4Zdz7KJqRl9-fW5hnB4s8NjIU_qx6Hle1gTPU&e=
or, via email, send a message with subject or body 'help' to
mosquitto-dev-request@xxxxxxxxxxx

You can reach the person managing the list at
mosquitto-dev-owner@xxxxxxxxxxx

When replying, please edit your Subject line so it is more specific than "Re: Contents of mosquitto-dev digest..."


Today's Topics:

   1. tls ... how to get it working (Leandro)


----------------------------------------------------------------------

Message: 1
Date: Wed, 6 Sep 2017 17:10:15 -0300
From: Leandro <ingrogger@xxxxxxxxx>
To: mosquitto-dev@xxxxxxxxxxx
Subject: [mosquitto-dev] tls ... how to get it working
Message-ID: <d70875c1-3305-447a-0244-777bdf21688d@xxxxxxxxx>
Content-Type: text/plain; charset=utf-8; format=flowed

Hi guys.
This is my first post on this mail list.
Im trying to set mosquitto to work with tls support , following some comments and questions.

1
How can I increase the verbosity on client and server side in order to garder more info when something goes wrong ?
So far I can run mosquitto with -v and mosquitto_sub with -d flag but still not sure where is the problem.

2
I generated ca , server and client certificates using multiples methods
but only one was success:
Using the "all-ca.crt" ca certificate file included with the mosquitto
documentation.
Then I tried to duplicate my own certificate using the gen.sh script
lines  but could not get it to work.
I executed "diff all-ca.crt test.crt" (test.crt is the one I created)
and there is no difference. no idea what is happening.

3
After reading multiple tutoriales  ....
How is it possible to get tls working using only ca cert on the client
side ? Is it not necessary to copy also the client.crt and client.key ?

4
About the common name , certificate parameter:
What is its importance ? shoud use the same value in my client to
connect ? for instance

mosquitto_sub -h mqtt.mydomain.com -p 8883  -t "GPIO" --insecure
--cafile ./all-ca.crt
so server and ca certificate common name shoud be "mqtt.mydomain.com" ?
is it mandatory ?


6
what about des3 on ca , server and client keys is it necessary /
mandatory to use it?
what about passphase on ca , server and client ... is it necessary /
mandatory to set it?

7
On the mosquitto.conf man page mention that:
PEM encoded CA is requiered for ca certificate but , all the
certificates I have been trying are .crt extension so ... nothing to do
here.

8
Final thought ... I would like to use tls in a similar way than I do for
openvpn connections.
I set a ca cert , server.crt and  server.key only once.
Then I generate a client.crt and client.key to provide to new clients.
Is it possible ?? how to achieve ?

Regards,
Thanks
Leo.




------------------------------

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://urldefense.proofpoint.com/v2/url?u=https-3A__dev.eclipse.org_mailman_listinfo_mosquitto-2Ddev&d=DwICAg&c=QM_z7khAIdagwHt-12JlKA&r=jUmTNPS2ysEcjc3MR-DVuYwf0nI4svE9aFLLFpN4BPk&m=drS_CZZu9KtwgeJJi70qrqt-tBugcvcZMPT6NXMGsY8&s=gt7q2d4Zdz7KJqRl9-fW5hnB4s8NjIU_qx6Hle1gTPU&e=

End of mosquitto-dev Digest, Vol 45, Issue 3
********************************************
**************************************************************************************** Note: If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ****************************************************************************************


Back to the top