mosquitto

Client cannot connect with generated certificates from mosquitto-tls-7

Bug #1274272 reported by dabozz

This bug report was converted into a question: question #243445: Client cannot connect with generated certificates from mosquitto-tls-7 .

6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mosquitto
Invalid
Undecided
Unassigned

Bug Description

Hi,
i followed the instructions for creating certificates from mosquitto-tls-7. Somehow I cannot connect with the client:

mosquitto_sub -h example.org -t "#" -d --cafile /etc/mosquitto/ca_certificates/ca.crt
Client mosqsub/21114-raspberry sending CONNECT
OpenSSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Following errors show in mosquitto.log:

1391023277: New connection from xxx.xxx.xxx.xxx on port 1883.
1391023277: OpenSSL Error: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
1391023277: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure

The ca.crt is created via
openssl req -new -x509 -days <duration> -extensions v3_ca -keyout ca.key -out ca.crt

In the ca.crt it says:
openssl x509 -text -in ca.crt
Certificate:
    Data:
        Version: 3 (0x2)
...

The server.crt is created via
openssl genrsa -des3 -out server.key 2048
openssl genrsa -out server.key 2048
openssl req -out server.csr -key server.key -new
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days <duration>

and in the server.crt:
openssl x509 -text -in server.crt
Certificate:
    Data:
        Version: 1 (0x0)
...

The SSL version of the protocolls do not match. But I think they should. Is it a bug in the man?
mosquitto version 1.2.3 (build date 2014-01-06 11:53:51+0000)
OpenSSL 1.0.1e 11 Feb 2013

Let me know if there is something I can provide.

Greetings,
dabozz

Revision history for this message
Roger Light (roger.light) wrote : Re: [Bug 1274272] [NEW] Client cannot connect with generated certificates from mosquitto-tls-7

You're definitely using mosquitto_sub from 1.2 or newer? Previous
versions would use TLSv1 only. You could try specifying the version of
TLS to use on the mosquitto_sub command line and/or in the mosquitto
configuration file.

It certainly should work!

On Wed, Jan 29, 2014 at 8:04 PM, dabozz <email address hidden> wrote:
> Public bug reported:
>
> Hi,
> i followed the instructions for creating certificates from mosquitto-tls-7. Somehow I cannot connect with the client:
>
> mosquitto_sub -h example.org -t "#" -d --cafile /etc/mosquitto/ca_certificates/ca.crt
> Client mosqsub/21114-raspberry sending CONNECT
> OpenSSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>
> Following errors show in mosquitto.log:
>
> 1391023277: New connection from xxx.xxx.xxx.xxx on port 1883.
> 1391023277: OpenSSL Error: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
> 1391023277: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
>
>
> The ca.crt is created via
> openssl req -new -x509 -days <duration> -extensions v3_ca -keyout ca.key -out ca.crt
>
> In the ca.crt it says:
> openssl x509 -text -in ca.crt
> Certificate:
> Data:
> Version: 3 (0x2)
> ...
>
> The server.crt is created via
> openssl genrsa -des3 -out server.key 2048
> openssl genrsa -out server.key 2048
> openssl req -out server.csr -key server.key -new
> openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days <duration>
>
> and in the server.crt:
> openssl x509 -text -in server.crt
> Certificate:
> Data:
> Version: 1 (0x0)
> ...
>
> The SSL version of the protocolls do not match. But I think they should. Is it a bug in the man?
> mosquitto version 1.2.3 (build date 2014-01-06 11:53:51+0000)
> OpenSSL 1.0.1e 11 Feb 2013
>
> Let me know if there is something I can provide.
>
> Greetings,
> dabozz
>
> ** Affects: mosquitto
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to
> mosquitto.
> https://bugs.launchpad.net/bugs/1274272
>
> Title:
> Client cannot connect with generated certificates from mosquitto-tls-7
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/mosquitto/+bug/1274272/+subscriptions

Revision history for this message
dabozz (dabozz7) wrote :

Hi,
I have
mosquitto_sub version 1.2.3 running on libmosquitto 1.2.3.

my mosquitto.conf is:

# Place your local configuration in /etc/mosquitto/conf.d/
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d

conf.d/mosquitto.conf:

require_certificate false
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
tls_version tlsv1

The certificates are generated by the man mosquitto-tls-7.
While generating the certificates for the client I changed the CN and Organisational Unit like you described here:
https://<email address hidden>/msg00076.html

mosquitto_sub -h ip-adress -t "#" -d --cafile /etc/mosquitto/ca_certificates/ca.crt --key /etc/mosquitto/client/client.key --cert /etc/mosquitto/client/client.crt --tls-version tlsv1
Enter PEM pass phrase:
Client mosqsub/32020-raspberry sending CONNECT
OpenSSL Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Error: Protocol error

mosquitto_pub -h ip-adress -t "test" -m hello --cafile /etc/mosquitto/ca_certificates/ca.crt --tls-version tlsv1 --key /etc/mosquitto/client/client.key --cert /etc/mosquitto/client/client.crt -d
Enter PEM pass phrase:
Client mosqpub/32030-raspberry sending CONNECT
OpenSSL Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Error: Protocol error

/var/log/mosquitto/mosquitto.log:

1391196703: mosquitto version 1.2.3 (build date 2014-01-06 11:53:51+0000) starting
1391196703: Config loaded from /etc/mosquitto/mosquitto.conf.
1391196703: Opening ipv4 listen socket on port 1883.
1391196703: Opening ipv6 listen socket on port 1883.
1391196703: Warning: Address family not supported by protocol
1391196705: New connection from 95.117.127.121 on port 1883.
1391196707: OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
1391196707: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1391196707: Socket read error on client (null), disconnecting.
1391196712: New connection from 95.117.127.121 on port 1883.
1391196714: OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
1391196714: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1391196714: Socket read error on client (null), disconnecting.
1391196728: mosquitto version 1.2.3 terminating
1391196728: Saving in-memory database to /var/lib/mosquitto/mosquitto.db.

That means I sorted out the 'tlsv1 alert protocol version' issue. but now I got a new one, can someone give me hints, please?

dabozz

Revision history for this message
dabozz (dabozz7) wrote :

I think its not a bug anymore, can someone else please help?

Changed in mosquitto:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.