Mosquitto Connection Errors - ssl

I have a Mosquitto 2.0.14 broker running in a Windows server 2019. I have following configs in mosquitto.conf:
listener 1883 localhost
allow_anonymous true
listener 8883
protocol mqtt
allow_anonymous false
password_file C:\mosquitto\password.txt
certfile C:\Certbot\live\dev-mqtt-broker.mysite.com\cert.pem
cafile C:\Certbot\live\dev-mqtt-broker.mysite.com\fullchain.pem
keyfile C:\Certbot\live\dev-mqtt-broker.mysite.com\privkey.pem
listener 9002
protocol websockets
socket_domain ipv4
allow_anonymous false
password_file C:\mosquitto\password.txt
I can connect to it over all these ports using mqtt://, mqtts://, ssl:// and ws://, protocols from NodeJS Code using MQTT.js library and from third party MQTT Clients like MQTTX.
But when I try to connect my device using ssl:// protocol over port 8883, sometimes I get different kinds of errors in Mosquitto logs. Some of these errors are:
OpenSSL Error[0]: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
OpenSSL Error[0]: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share
OpenSSL Error[0]: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (frequent)
OpenSSL Error[0]: error:1408F09C:SSL routines:ssl3_get_record:http request (frequent)
OpenSSL Error[0]: error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher
OpenSSL Error[0]: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
Client <unknown> disconnected due to protocol error.
Client <unknown> disconnected due to malformed packet.
I have spent considerable time trying to learn about these errors but I can't seem to understand what is happening.
Any help would be great. Thanks in advance.

Related

mosquitto openssl error: ssl3_get_record:wrong version number

When I use mosquitto to establish a TLS connection with my client program on a router, it doesn't work.
Here is the error log:
[21028.515924]~DLT~14068~INFO ~FIFO /tmp/dlt cannot be opened. Retrying later...
1635324116: mosquitto version 1.6.9 starting
1635324116: Config loaded from /etc/mosquitto/mosquitto.conf.
1635324116: Opening ipv4 listen socket on port 8883.
1635324116: Opening ipv6 listen socket on port 8883.
1635324132: New connection from 192.168.8.1 on port 8883.
1635324132: OpenSSL Error[0]: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
1635324132: Socket error on client <unknown>, disconnecting.
Here is my mosquitto.conf:
port 8883
cafile /mnt/d/Files/Desktop/Project/cert/ca/ca.crt
certfile /mnt/d/Files/Desktop/Project/cert/broker/broker.crt
keyfile /mnt/d/Files/Desktop/Project/cert/broker/broker.key
require_certificate true
tls_version tlsv1.2
Here is my client SSL code:
ssl_opts.trustStore = "/mnt/d/Files/Desktop/Project/cert/ca/ca.crt";
ssl_opts.keyStore = "/mnt/d/Files/Desktop/Project/cert/client/client.crt";
ssl_opts.privateKey = "/mnt/d/Files/Desktop/Project/cert/client/client.key";
ssl_opts.enableServerCertAuth = 1;
ssl_opts.verify = 1;
ssl_opts.sslVersion = MQTT_SSL_VERSION_TLS_1_2;
Here is more specific code of my client:
publisher.h
publisher.c
agent.c
From the docs:
An optional array of null-terminated strings specifying the servers to
which the client will connect. Each string takes the form
protocol://host:port. protocol must be tcp or ssl. For host, you can
specify either an IP address or a host name. For instance, to connect
to a server running on the local machines with the default MQTT port,
specify tcp://localhost:1883. If this list is empty (the default), the
server URI specified on MQTTClient_create() is used.
Make sure your URL starts with ssl:// not just an IP address and port.

How to force 'OpenConnect' client to use TLS 1.0

I'm using 'OpenConnect version v8.05' on Red Hat Enterprise Linux 8.1 (Ootpa) in order to connect to a server.
The server only accepts SSLv3, TLSv1.0 ciphers and I don't have access to the server for security update/upgrade.
When I try to connect:
[root#RHEL8 ~]# openconnect --authenticate XXX.XXX.XXX.XXX:443 -status -msg -debug
MTU 0 too small
POST https://XXX.XXX.XXX.XXX/
Connected to XXX.XXX.XXX.XXX:443
SSL negotiation with XXX.XXX.XXX.XXX
SSL connection failure: A packet with illegal or unsupported version was received.
Failed to open HTTPS connection to XXX.XXX.XXX.XXX
Failed to obtain WebVPN cookie
I have changed OpenSSL Min SSL Protocol by changing:
/etc/crypto-policies/back-ends/opensslcnf.config
MinProtocol = TLSv1.0
Now I'm able to handshake the server using 'openssl s_client -connect'. But the openconnect client is not yet able to connect to the server.
How can I force it to use TLS 1.0?
I have filed an issue on their community issue tracker and got useful info.
It is possible to allow this insecure connection with any version newer than 8.05(currently not available on rpm repositories) as mentioned by the maintainer:
$ ./openconnect --gnutls-priority "NONE:+VERS-SSL3.0:+VERS-TLS1.0:%NO_EXTENSIONS:%SSL3_RECORD_VERSION:+3DES-CBC:+ARCFOUR-128:+MD5:+SHA1:+COMP-ALL:+KX-ALL" ***

Facing Error while using TLS with mosquitto

I am trying to use TLS for communicating over mqtt. I have ubuntu installed in my system. For using TLS, I have created certificates using the below link:
http://www.embedded101.com/Blogs/PaoloPatierno/entryid/366/mqtt-over-ssl-tls-with-the-m2mqtt-library-and-the-mosquitto-broker
I am able to create certificates. But when I give value to bind_address property in the mosquitto_m2mqtt.conf file and start mosquitto using the command mosquitto -c mosquitto_m2mqtt.conf, I get error as given in the subject of the question; i.e., Error: cannot assign requested address. Please let me know how to resolve this.
Below is the content of config file:
port 8883
bind_address iothdp02
cafile /etc/mosquitto/m2mqtt_ca.crt
certfile /etc/mosquitto/m2mqtt_srv.crt
keyfile /etc/mosquitto/m2mqtt_srv.key
tls_version tlsv1
When I run the command mosquitto -c mosquitto_m2mqtt.conf -v, I am getting as error as:
1551089294: mosquitto version 1.4.8 (build date 2016-09-21 11:21:45+0530) starting
1551089294: Config loaded from mosquitto_m2mqtt.conf.
1551089294: Opening ipv4 listen socket on port 8883.
1551089294: Error: Cannot assign requested address
Edit 1:
I have removed bind_address from config file and starting mosquitto with the new config file with 'mosquitto -c mosquitto_m2mqtt.conf -v'. Mosquitto starts, but when I run mosquitto_sub command, I am getting error as below:
mosquitto -c mosquitto_m2mqtt.conf -v
1551172930: mosquitto version 1.4.8 (build date 2016-09-21 11:21:45+0530) starting
1551172930: Config loaded from mosquitto_m2mqtt.conf.
1551172930: Opening ipv4 listen socket on port 8883.
1551172930: Opening ipv6 listen socket on port 8883.
Enter PEM pass phrase:
1551172960: New connection from 127.0.0.1 on port 8883.
1551172960: OpenSSL Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
1551172960: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
1551172960: Socket error on client <unknown>, disconnecting.
In the window that I am subscribing, I am getting error as below:
mosquitto_sub -p 8883 -q 1 -t sensor/temp --cafile /etc/mosquitto/m2mqtt_srv.crt --tls-version tlsv1 -d
Unable to connect (A TLS error occurred.).
If you pass a hostname to the bind_address argument it must resolve to a valid IP address, this is not necessarily the same as the output from hostname.
This has nothing to do with the TLS/certificate setup it is purely how mosquitto identifies which address to bind to.
You have a few choices on how to fix this:
remove the bind_address line, this will cause mosquitto to listen on all available addresses
ensure that what ever you use in the bind_address field resolves to an IP address bound to an interface on the machine the broker is running. This might mean using the fully qualified domain name (you probably should have used that in the broker's certificate CN as well)
replace the hostname with the ip address for the interface you want mosquitto to listen on.

mosquitto-clients and broker running on SSL

I've managed to setup a broker using SSL using Let's Encrypt certs.
I've tried testing a websockets client connecting to wss://broker:9002/mqtt, and it's working. I've also tried using mqtt.js command-line interface to subscribe to a topic on the broker mqtts://broker:8883/mqtt successfully.
However, I can't get mosquitto_sub and mosquitto_pub to work.
I tried with,
$ mosquitto_sub -h www.my-host.com.ar -p 8883 -t hello -d --cafile fullchain.pem
Client mosqsub/21069-atlantis sending CONNECT
Error: A TLS error occurred.
where fullchain.pem is the same ca cert that's on the server.
The mosquitto.log's broker shows,
1456709201: OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
1456709201: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1456709201: Socket error on client <unknown>, disconnecting.
1456709206: New connection from <my-ip> on port 8883.
What could be happening? I didn't provide any cert for mqtt.js lib...
This is my broker conf (splitted in two files),
#################################
# /etc/mosquitto/mosquitto.conf #
#################################
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
listener 1883
listener 8883
cafile /etc/letsencrypt/live/www.my-host.com.ar/fullchain.pem
certfile /etc/letsencrypt/live/www.my-host.com.ar/cert.pem
keyfile /etc/letsencrypt/live/www.my-host.com.ar/privkey.pem
include_dir /etc/mosquitto/conf.d
#############################################
# /etc/mosquitto/conf.d/websockets_ssl.conf #
#############################################
listener 9002
protocol websockets
cafile /etc/letsencrypt/live/www.my-host.com.ar/fullchain.pem
certfile /etc/letsencrypt/live/www.my-host.com.ar/cert.pem
keyfile /etc/letsencrypt/live/www.my-host.com.ar/privkey.pem
Try adding "--insecure" at the end of the mosquitto_sub and mosquitto_pub commands. This allows the clients to bypass the check that matches the certificate hostname with the remote host name. I've had to do this with some of the self-signed certs that I generated.
Here is the relevant comments from the "--help" for those commands:
--insecure : do not check that the server certificate hostname matches the remote
hostname. Using this option means that you cannot be sure that the
remote host is the server you wish to connect to and so is insecure.
Do not use this option in a production environment.

Config SSL mosquitto error

I tried to config SSL for mostquitto following these steps.
When I restart mosquitto, there is an error:
1435120150: mosquitto version 1.4.2 (build date Mon, 18 May 2015 15:25:19 +0100) starting
1435120150: Config loaded from /etc/mosquitto/mosquitto.conf.
1435120150: Opening ipv4 listen socket on port 8883.
1435120150: Error: Unable to create TLS context.
This is my mosquitto config:
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
bind_address Dell
port 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/Dell.crt
keyfile /etc/mosquitto/certs/Dell.key
tls_version tlsv1
How to configure it correctly?
Unable to create TLS context suggests that the call to SSL_CTX_new() failed. This is right at the beginning of setting up the SSL options for the listening socket and is very unexpected.
The only things you can do to influence this are to check your version of openssl, and to change/remove the tls_version option. Removing it is the best bet unless you have a particular reason to disallow TLSv1.1 or TLSv1.2 (or TLSv1.3 in the future).
Another solution ... for a [different] specific cause.
For the error "Error: Problem setting TLS options", one specific cause was fixed like this:
-- in the mosquitto config file, the lines of config parameters with cert, key, and CA filenames contained a 'space' character after each filename, and before the end-of-line character.
-- removing the space just before the end-of-line character caused the error to no longer appear.
-- the mosquitto broker then started up with no errors.
Please check client system time and ssl certificate end date, client system time must be in between ssl certificate start time and end time
Check Client System Date :
date
Check openssl certificate end date :
openssl x509 -enddate -noout -in cacert.pem