Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [paho-dev] How to use Android Paho java client to create SSL/TLS connection to mosquitto 
Hi Roger,
The code works fine with test.mosquitto.org:8883 and http://test.mosquitto.org/ssl/mosquitto.org.crt, so I started thinking what's wrong with my ca.crt, server.key and server.crt. My server.crt is a certificate with SAN (Subject Alternate Names), I generated another server.key/crt without SAN, but paho still fails to connect to the mosquitto broker, while mosquito_sub can always successfully connect to the broker with ca.crt.
The server.crt with SAN was generated by https://github.com/binarybucks/mqttitude/blob/master/tools/TLS/generate-CA.sh. The server.crt without SAN was generated following instructions in mosquitto-tls(7), using broker IP as Common Name.
How to debug the paho code? Any debug options? Any other information do I need to provide? 

Thanks
Romu

On 2014/9/29 18:33, Roger Light wrote:

Hi Romu,

I can't help with the Java side of things, but could I suggest that
you try connecting to test.mosquitto.org:8883 as well? The
corresponding CA certificate is linked to on http://test.mosquitto.org

This is known to be working, so would help you eliminate any problems
with your server setup, as opposed to the client side.

Cheers,

Roger

On Mon, Sep 29, 2014 at 11:22 AM, Romu Hu <huruomu@xxxxxxxxx> wrote:

Hi,

I have been using
org.eclipse.paho.android.service/org.eclipse.paho.android.service.sample/src/org/eclipse/paho/android/service/sample/ClientConnections.java
to test SSL/TLS connection to mosquitto.  The connection always fail, the
log on the mosquitto broker side is:

1411985829: New connection from xx.xx.xx.xx on port 8883.
1411985829: OpenSSL Error: error:1408A10B:SSL
routines:SSL3_GET_CLIENT_HELLO:wrong version number

But I could use the following mosquitto_sub command line to successfully
connect to the mosquitto broker (8883):

# mosquitto_sub -c -d -h xxx.xxx.xxx.xxx -p 8883 --cafile ca.crt -i
myclientid -q 1 -t mytopic -v

Below is the listener config of my mosquitto broker:

# Default listener
bind_address xxx.xxx.xxx.xxx
port 8883
max_connections -1
cafile /etc/mosquitto/ca.crt
certfile /etc/mosquitto/server.crt
keyfile /etc/mosquitto/server.key
tls_version tlsv1.2

Below is my modification to ClientConnections.java:

diff --git
a/org.eclipse.paho.android.service/org.eclipse.paho.android.service.sample/src/org/eclipse/paho/android/service/sample/ClientConnections.java
b/org.eclipse.paho.android.service/org.eclipse.paho.android.service.sample/src/org/eclipse/paho/android/service/sample/ClientConnections.java
index c3133c5..a6af9a6 100644
---
a/org.eclipse.paho.android.service/org.eclipse.paho.android.service.sample/src/org/eclipse/paho/android/service/sample/ClientConnections.java
+++
b/org.eclipse.paho.android.service/org.eclipse.paho.android.service.sample/src/org/eclipse/paho/android/service/sample/ClientConnections.java
@@ -238,6 +238,20 @@ public class ClientConnections extends ListActivity {
        Log.e("SSLConnection", "Doing an SSL Connect");
        uri = "ssl://";

+      try {
+        SSLContext context;
+        KeyStore ts = KeyStore.getInstance("bks");
+        ts.load(getResources().openRawResource(R.raw.ca),
"123456".toCharArray());
+        TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
+        tmf.init(ts);
+        TrustManager[] tm = tmf.getTrustManagers();
+        context = SSLContext.getInstance("TLSv1.2");
+        context.init(null, tm, null);
+        SocketFactory factory = context.getSocketFactory();
+        conOpt.setSocketFactory(factory);
+      } catch (Exception e) {
+        // TODO: handle exception
+      }
      }
      else {
        uri = "tcp://";

I used the following command to convert ca.crt (generated by openssl) to
ca.bks:

keytool -importcert -keystore C:\Users\shengli\Desktop\ca.bks -file
C:\Users\shengli\Desktop\ca.crt -storetype BKS -provider
org.bouncycastle.jce.provider.BouncyCastleProvider

Passphrase of the bks is set to 123456.

Any idea?

Thanks
Romu


On 2014/9/25 17:41, Romu Hu wrote:

Hi,

I've been trying to use Android Paho java client to create SSL/TLS
connection to mosquitto.  My mosquitto broker has two TLS listeners, one
requires client certificate, the other one does not.

How to connect to the listener that requires client certificate? How to
connect to the one that does not?  The ca certificate, client certificate
and client key are stored in the Android device.  Any third-party java
libraries needed?  Any code examples?

Thanks
Romu


_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/paho-dev

_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/paho-dev

Back to the top