Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [paho-dev] How to use Android Paho java client to create SSL/TLS connection to mosquitto

Hi Romu,

I'm not commenting on the Paho side, but I will note that the
behaviour in mosquitto will change in the next version. The current
1.3.x versions use TLSv1.2 by default and accept only that. The next
version will accept any of TLSv1.2, TLSv1.1 or TLSv1.0 by default,
although it will be possible to restrict it to to specific versions.

Cheers,

Roger


On Tue, Sep 30, 2014 at 10:23 AM, Romu Hu <huruomu@xxxxxxxxx> wrote:
> Update on the issue:
>
> I found the paho error message:
>
> javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL
> handshake aborted: ssl=0xb97d9f50: Failure in SSL library, usually a
> protocol error
error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
> alert protocol version (external/openssl/ssl/s23_clnt.c:741
> 0x9c3e6b11:0x00000000)
>
> Thought in my code it's "context = SSLContext.getInstance("TLSv1.2"); ",
> PAHO actually tries to connect to the broker with tlsv1, hence the failure.
> I reconfigured my mosquitto listener to use "TLSv1" as tls_version and the
> code connects fine.
>
> Is it a bug of PAHO?
>
> Thanks
> Romu
>
>
> On 2014/9/30 16:59, Romu Hu wrote:
>>
>> Hi Roger,
>>
>> The code works fine with test.mosquitto.org:8883 and
>> http://test.mosquitto.org/ssl/mosquitto.org.crt, so I started thinking
>> what's wrong with my ca.crt, server.key and server.crt. My server.crt is a
>> certificate with SAN (Subject Alternate Names), I generated another
>> server.key/crt without SAN, but paho still fails to connect to the mosquitto
>> broker, while mosquito_sub can always successfully connect to the broker
>> with ca.crt.
>>
>> The server.crt with SAN was generated by
>> https://github.com/binarybucks/mqttitude/blob/master/tools/TLS/generate-CA.sh.
>> The server.crt without SAN was generated following instructions in
>> mosquitto-tls(7), using broker IP as Common Name.
>>
>> How to debug the paho code?  Any debug options?  Any other information do
>> I need to provide?
>>
>> Thanks
>> Romu
>>
>> On 2014/9/29 18:33, Roger Light wrote:
>>>
>>> Hi Romu,
>>>
>>> I can't help with the Java side of things, but could I suggest that
>>> you try connecting to test.mosquitto.org:8883 as well? The
>>> corresponding CA certificate is linked to on http://test.mosquitto.org
>>>
>>> This is known to be working, so would help you eliminate any problems
>>> with your server setup, as opposed to the client side.
>>>
>>> Cheers,
>>>
>>> Roger
>>>
>>> On Mon, Sep 29, 2014 at 11:22 AM, Romu Hu <huruomu@xxxxxxxxx> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I have been using
>>>>
>>>> org.eclipse.paho.android.service/org.eclipse.paho.android.service.sample/src/org/eclipse/paho/android/service/sample/ClientConnections.java
>>>> to test SSL/TLS connection to mosquitto.  The connection always fail,
>>>> the
>>>> log on the mosquitto broker side is:
>>>>
>>>> 1411985829: New connection from xx.xx.xx.xx on port 8883.
>>>> 1411985829: OpenSSL Error: error:1408A10B:SSL
>>>> routines:SSL3_GET_CLIENT_HELLO:wrong version number
>>>>
>>>> But I could use the following mosquitto_sub command line to successfully
>>>> connect to the mosquitto broker (8883):
>>>>
>>>> # mosquitto_sub -c -d -h xxx.xxx.xxx.xxx -p 8883 --cafile ca.crt -i
>>>> myclientid -q 1 -t mytopic -v
>>>>
>>>> Below is the listener config of my mosquitto broker:
>>>>
>>>> # Default listener
>>>> bind_address xxx.xxx.xxx.xxx
>>>> port 8883
>>>> max_connections -1
>>>> cafile /etc/mosquitto/ca.crt
>>>> certfile /etc/mosquitto/server.crt
>>>> keyfile /etc/mosquitto/server.key
>>>> tls_version tlsv1.2
>>>>
>>>> Below is my modification to ClientConnections.java:
>>>>
>>>> diff --git
>>>>
>>>> a/org.eclipse.paho.android.service/org.eclipse.paho.android.service.sample/src/org/eclipse/paho/android/service/sample/ClientConnections.java
>>>>
>>>> b/org.eclipse.paho.android.service/org.eclipse.paho.android.service.sample/src/org/eclipse/paho/android/service/sample/ClientConnections.java
>>>> index c3133c5..a6af9a6 100644
>>>> ---
>>>>
>>>> a/org.eclipse.paho.android.service/org.eclipse.paho.android.service.sample/src/org/eclipse/paho/android/service/sample/ClientConnections.java
>>>> +++
>>>>
>>>> b/org.eclipse.paho.android.service/org.eclipse.paho.android.service.sample/src/org/eclipse/paho/android/service/sample/ClientConnections.java
>>>> @@ -238,6 +238,20 @@ public class ClientConnections extends ListActivity
>>>> {
>>>>         Log.e("SSLConnection", "Doing an SSL Connect");
>>>>         uri = "ssl://";
>>>>
>>>> +      try {
>>>> +        SSLContext context;
>>>> +        KeyStore ts = KeyStore.getInstance("bks");
>>>> +        ts.load(getResources().openRawResource(R.raw.ca),
>>>> "123456".toCharArray());
>>>> +        TrustManagerFactory tmf =
>>>> TrustManagerFactory.getInstance("X509");
>>>> +        tmf.init(ts);
>>>> +        TrustManager[] tm = tmf.getTrustManagers();
>>>> +        context = SSLContext.getInstance("TLSv1.2");
>>>> +        context.init(null, tm, null);
>>>> +        SocketFactory factory = context.getSocketFactory();
>>>> +        conOpt.setSocketFactory(factory);
>>>> +      } catch (Exception e) {
>>>> +        // TODO: handle exception
>>>> +      }
>>>>       }
>>>>       else {
>>>>         uri = "tcp://";
>>>>
>>>> I used the following command to convert ca.crt (generated by openssl) to
>>>> ca.bks:
>>>>
>>>> keytool -importcert -keystore C:\Users\shengli\Desktop\ca.bks -file
>>>> C:\Users\shengli\Desktop\ca.crt -storetype BKS -provider
>>>> org.bouncycastle.jce.provider.BouncyCastleProvider
>>>>
>>>> Passphrase of the bks is set to 123456.
>>>>
>>>> Any idea?
>>>>
>>>> Thanks
>>>> Romu
>>>>
>>>>
>>>> On 2014/9/25 17:41, Romu Hu wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I've been trying to use Android Paho java client to create SSL/TLS
>>>>> connection to mosquitto.  My mosquitto broker has two TLS listeners,
>>>>> one
>>>>> requires client certificate, the other one does not.
>>>>>
>>>>> How to connect to the listener that requires client certificate? How to
>>>>> connect to the one that does not?  The ca certificate, client
>>>>> certificate
>>>>> and client key are stored in the Android device.  Any third-party java
>>>>> libraries needed?  Any code examples?
>>>>>
>>>>> Thanks
>>>>> Romu
>>>>
>>>>
>>>> _______________________________________________
>>>> paho-dev mailing list
>>>> paho-dev@xxxxxxxxxxx
>>>> To change your delivery options, retrieve your password, or unsubscribe
>>>> from
>>>> this list, visit
>>>> https://dev.eclipse.org/mailman/listinfo/paho-dev
>>>
>>> _______________________________________________
>>> paho-dev mailing list
>>> paho-dev@xxxxxxxxxxx
>>> To change your delivery options, retrieve your password, or unsubscribe
>>> from this list, visit
>>> https://dev.eclipse.org/mailman/listinfo/paho-dev
>>
>>
>
> _______________________________________________
> paho-dev mailing list
> paho-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/paho-dev


Back to the top