5

I'm been desperately trying to get my MQTT clients to connect to a MQTT broker which is set up with a certificate from a CA. (Letsencrypt: https://pypi.python.org/pypi/letsencrypt/0.4.1) I'm using the same certificate for my https site, and that seems to work fine. I'm not sure if that holds any connection, though.

I've used this guide to set-up the certificates for the broker (http://mosquitto.org/2015/12/using-lets-encrypt-certificates-with-mosquitto/)

The broker, v1.4.8 seems to work fine with the following config:

cafile chain.pem
certfile cert.pem
keyfile privkey.pem

[ ok ] mosquitto is running.

Clients attempting to connect to this broker with debug message yields:

Client mosqsub/42074-titan sending CONNECT

On my broker's side log I recieve this error message:

1457358950: New connection from NOT.TELLING.YOU.OBVIOUSLY on port 8883.
1457358950: OpenSSL Error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
1457358950: Socket error on client <unknown>, disconnecting.

I've searched high and wide for a solution to this, sadly there is little to nothing out there.

Any help would be greatly appreciated! Thank you!

user5740843
  • 1,540
  • 5
  • 22
  • 42

4 Answers4

5

I ran into this problem with the paho.mqtt.c MQTT client library when I was using tcp as a protocol instead of ssl.

So I had to use

ssl://1.2.3.4:56789

instead of

tcp://1.2.3.4:56789

Also when using paho.mqtt.c make sure you are linking against the libs with SSL support and that the libs with SSL support are actually built with SSL support! There used to be a bug in a CMake file in which a define was missing (OPENSSL) and thus the SSL libraries did not offer SSL support...

DrP3pp3r
  • 803
  • 9
  • 33
1

My guess is that you've not enabled TLS mode - did you pass --cafile to mosquitto_sub?

ralight
  • 11,033
  • 3
  • 49
  • 59
1

This worked for me just to test out a simple secure publish-subscribe.

  1. I used https://github.com/owntracks/tools/blob/master/TLS/generate-CA.sh to generate the certificates (in /share/mosquitto), simply:

    generate-CA.sh

  2. I configured mosquitto.conf (including full logging) with:

    log_dest file /var/log/mosquitto.log

    log_type all

    cafile /share/mosquitto/ca.crt

    certfile /share/mosquitto/localhost.crt

    keyfile /share/mosquitto/localhost.key

  3. I subscribed (with debug enabled) with:

    mosquitto_sub -h localhost -t test -p 8883 --insecure -d --cafile /share/mosquitto/ca.crt

  4. I published with:

    mosquitto_pub -h localhost -t test -p 8883 --cafile /share/mosquitto/ca.crt -m "Hi" --insecure

RayCh
  • 571
  • 3
  • 8
  • 17
0

I started getting this issue very recently on my one of the Cloud mosquitto broker. Im connecting to this broker from another VPS with python client and I am using paho.mqtt.client library for python.

Everything was working until one fine day it all broke. Cause might be regular updates or something else, but it suddenly started giving me handshake error and exactly same error mentioned by OP.

Client connection from AREA51 failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol.

At my client in python I am using transport=tcp and connecting to secure MQTT port using tls. This was working fine earlier. After having this issue I have updated Openssl to latest, but it could not resolve this issue.

My problem was my broker was allowing all ssl/tcp and websocket connection from all other clients. Even same Python code was working fine on my local machine.

So It was clear that something wrong with transport mechanism on my other VPS (Client)

Tapping into Python MQTT library, I found that we can try changing transport mechanism.

hence simply changing client code to :

client = mqtt.Client(transport="websockets")

which earlier was:

client = mqtt.Client(transport="tcp")

resolved my issue. I do have to change the port in connection where my secure websocket was running.

I hope this might help someone in similar situation.

Rajendra
  • 1,118
  • 15
  • 20