Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] mosquitto with tls

Hi,

You don't have to use a known public CA (like GobalSign) in order to be secure.


If you are using a cert issued by your own Certificate Authority, then you need to provide the CA certificate, so that mosquitto can verify that the server certificate is genuine.

--cafile : path to a file containing trusted CA certificates to enable encrypted
               communication.
--capath : path to a directory containing trusted CA certificates to enable encrypted
               communication.

If you have control of both the clients and the server, it might actually be more secure using your own CA, because nobody else can issue a valid certificate, other than you.

You also have the option of issuing certificates to the clients, as well as the server. This allows you to perform mutual authentication - the client can be sure it is talking to the right server, and the service can be sure it is talking to the right client.


nick.


On 2018-07-31 20:32, Manuel Domínguez Dorado wrote:
Hi,

Great!!

AFAIK, you have to use "insecure" unless your certificate is signed by
a well known CA (i.e. if you buy a certificate from verysign,
geotrust...) instead of your own CA. You cannot certify by yourself
that you are a given host.

Best regards.

El mar., 31 de julio de 2018 20:40, Leandro <ingrogger@xxxxxxxxx>
escribió:

Dear Manuel ,
Thanks for your post, I founded something very interesting on it.
You are using "insecure" flag in your mosquitto_pub/sub clients.
I tryed my certs using the "insecure" option  and worked as well ,
then also  tested connection with other client , mqttfx an also
works.
So the issue is there, in the "insecure" flag on the client side.

Reading help, it says:
--insecure : do not check that the server certificate hostname
matches the remote
hostname.

So ..
How should I include the server hostname during ca.crt server
generation?
And , where  does mosquitto_sub client takes the server hostname ?
is it from the -h flag?

Anyway , thanks for your help , I think Im very close to get it.

On 31/07/18 13:27, Manuel Domínguez Dorado wrote:

Hi Leandro,

I wrote a post that perhaps could be of interest for you.


https://www.manolodominguez.com/2017/04/09/instalando-un-broker-mqtt-domestico-iii/


I's spanish but commands are easy to follow and you can use Google
Translator :-)

Hope it helps!

Best regards.

2018-07-31 18:18 GMT+02:00 Leandro <ingrogger@xxxxxxxxx>:

Dear Jagtap ,  Thanks for your advice.
I change all certs directory and files to 777 mode on client and
server side but still not have success.
Regards,
Leo.

On 31/07/18 01:38, Supriya Jagtap wrote:

Hello Leandro,

Can you check if user running mosquito_pub/mosquito_sub has access
permission to the cert and key files.
I had encountered same error while running my mqqt client
implementation. Moving all files to the location with required
access permission solved it for me.

Regards,
Supriya Jagtap
On Tue, Jul 31, 2018 at 9:31 AM, Leandro <ingrogger@xxxxxxxxx>
wrote:
Hi guys.
I would like to ask some help using mosquitto with tls option.
I successfully configured my server with tls option using the
all-ca.crt , server.crt and server.key certificates provided with
mosquitto source.
The problem is when I try to make it work with my own generated
certificates.

I followed official documentation
https://mosquitto.org/man/mosquitto-tls-7.html
and
used the generate-CA.sh script.

But when trying to connect , I receive
"Error: A TLS error occurred."         on the mosquitto_pub and
mosquitto_sub  clients.

And on the server side:

1533005975: OpenSSL Error: error:14094418:SSL
routines:ssl3_read_bytes:tlsv1 alert unknown ca
1533005975: OpenSSL Error: error:140940E5:SSL
routines:ssl3_read_bytes:ssl handshake failure
(https://mosquitto.org/man/mosquitto-tls-7.html)

1533007440: OpenSSL Error: error:14094438:SSL
routines:ssl3_read_bytes:tlsv1 alert internal error
1533007440: OpenSSL Error: error:140940E5:SSL
routines:ssl3_read_bytes:ssl handshake failure (generate-CA.sh)

I have:
mosquitto 1.4.15 version
and mosquitto_sub version 1.4.15 running on libmosquitto 1.4.15.

Can anyone help?
Some script / tutorial to generate my own pki ?
Is something wrong with my mosquitto server?

Any help would be appreciated,
Regards,
Leandro.

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

--

---
Manuel Domínguez Dorado
Software engineer (Ph.D, M.Sc., B.Sc.)
Certified Project Management Professional (PMP)
ingeniero@xxxxxxxxxxxxxxxxxxx
http://www.ManoloDominguez.com
(+34) 607 418 760

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

 _______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev


Back to the top