Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [paho-dev] How to use Android Paho java client to create SSL/TLS connection to mosquitto

Romu,

Possibly something related to this problem? http://stackoverflow.com/questions/16531807/android-client-server-on-tls-v1-2

Al

On 30/09/14 10:23, Romu Hu wrote:
Update on the issue:

I found the paho error message:

javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException:
SSL handshake aborted: ssl=0xb97d9f50: Failure in SSL library, usually a
protocol error
error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
alert protocol version (external/openssl/ssl/s23_clnt.c:741
0x9c3e6b11:0x00000000)

Thought in my code it's "context = SSLContext.getInstance("TLSv1.2"); ",
PAHO actually tries to connect to the broker with tlsv1, hence the
failure.  I reconfigured my mosquitto listener to use "TLSv1" as
tls_version and the code connects fine.

Is it a bug of PAHO?

Thanks
Romu

On 2014/9/30 16:59, Romu Hu wrote:
Hi Roger,

The code works fine with test.mosquitto.org:8883 and
http://test.mosquitto.org/ssl/mosquitto.org.crt, so I started thinking
what's wrong with my ca.crt, server.key and server.crt. My server.crt
is a certificate with SAN (Subject Alternate Names), I generated
another server.key/crt without SAN, but paho still fails to connect to
the mosquitto broker, while mosquito_sub can always successfully
connect to the broker with ca.crt.

The server.crt with SAN was generated by
https://github.com/binarybucks/mqttitude/blob/master/tools/TLS/generate-CA.sh.
The server.crt without SAN was generated following instructions in
mosquitto-tls(7), using broker IP as Common Name.

How to debug the paho code?  Any debug options?  Any other information
do I need to provide?

Thanks
Romu

On 2014/9/29 18:33, Roger Light wrote:
Hi Romu,

I can't help with the Java side of things, but could I suggest that
you try connecting to test.mosquitto.org:8883 as well? The
corresponding CA certificate is linked to on http://test.mosquitto.org

This is known to be working, so would help you eliminate any problems
with your server setup, as opposed to the client side.

Cheers,

Roger

On Mon, Sep 29, 2014 at 11:22 AM, Romu Hu <huruomu@xxxxxxxxx> wrote:
Hi,

I have been using
org.eclipse.paho.android.service/org.eclipse.paho.android.service.sample/src/org/eclipse/paho/android/service/sample/ClientConnections.java

to test SSL/TLS connection to mosquitto.  The connection always
fail, the
log on the mosquitto broker side is:

1411985829: New connection from xx.xx.xx.xx on port 8883.
1411985829: OpenSSL Error: error:1408A10B:SSL
routines:SSL3_GET_CLIENT_HELLO:wrong version number

But I could use the following mosquitto_sub command line to
successfully
connect to the mosquitto broker (8883):

# mosquitto_sub -c -d -h xxx.xxx.xxx.xxx -p 8883 --cafile ca.crt -i
myclientid -q 1 -t mytopic -v

Below is the listener config of my mosquitto broker:

# Default listener
bind_address xxx.xxx.xxx.xxx
port 8883
max_connections -1
cafile /etc/mosquitto/ca.crt
certfile /etc/mosquitto/server.crt
keyfile /etc/mosquitto/server.key
tls_version tlsv1.2

Below is my modification to ClientConnections.java:

diff --git
a/org.eclipse.paho.android.service/org.eclipse.paho.android.service.sample/src/org/eclipse/paho/android/service/sample/ClientConnections.java

b/org.eclipse.paho.android.service/org.eclipse.paho.android.service.sample/src/org/eclipse/paho/android/service/sample/ClientConnections.java

index c3133c5..a6af9a6 100644
---
a/org.eclipse.paho.android.service/org.eclipse.paho.android.service.sample/src/org/eclipse/paho/android/service/sample/ClientConnections.java

+++
b/org.eclipse.paho.android.service/org.eclipse.paho.android.service.sample/src/org/eclipse/paho/android/service/sample/ClientConnections.java

@@ -238,6 +238,20 @@ public class ClientConnections extends
ListActivity {
        Log.e("SSLConnection", "Doing an SSL Connect");
        uri = "ssl://";

+      try {
+        SSLContext context;
+        KeyStore ts = KeyStore.getInstance("bks");
+        ts.load(getResources().openRawResource(R.raw.ca),
"123456".toCharArray());
+        TrustManagerFactory tmf =
TrustManagerFactory.getInstance("X509");
+        tmf.init(ts);
+        TrustManager[] tm = tmf.getTrustManagers();
+        context = SSLContext.getInstance("TLSv1.2");
+        context.init(null, tm, null);
+        SocketFactory factory = context.getSocketFactory();
+        conOpt.setSocketFactory(factory);
+      } catch (Exception e) {
+        // TODO: handle exception
+      }
      }
      else {
        uri = "tcp://";

I used the following command to convert ca.crt (generated by
openssl) to
ca.bks:

keytool -importcert -keystore C:\Users\shengli\Desktop\ca.bks -file
C:\Users\shengli\Desktop\ca.crt -storetype BKS -provider
org.bouncycastle.jce.provider.BouncyCastleProvider

Passphrase of the bks is set to 123456.

Any idea?

Thanks
Romu


On 2014/9/25 17:41, Romu Hu wrote:
Hi,

I've been trying to use Android Paho java client to create SSL/TLS
connection to mosquitto.  My mosquitto broker has two TLS
listeners, one
requires client certificate, the other one does not.

How to connect to the listener that requires client certificate?
How to
connect to the one that does not?  The ca certificate, client
certificate
and client key are stored in the Android device.  Any third-party java
libraries needed?  Any code examples?

Thanks
Romu

_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or
unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/paho-dev
_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/paho-dev


_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/paho-dev


Back to the top