1

I am trying to set up a client utilizing libmosquitto. Connecting to the broker works like a charm, with and without TLS. But whenever I try to send data over the TLS connection, I get the error:

Blockquote 1486712210: OpenSSL Error: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error 1486712210: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure 1486712210: Socket error on client , disconnecting. Blockquote

I've tried the test client from the git repository of mosquitto, mosquitto/test/lib/c/08-ssl-connect-cert-auth-enc.c , same result.

My current server configuration:

listener 1883

listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/werkstatt.logicway.net.crt
keyfile /etc/mosquitto/certs/werkstatt.logicway.net.key
require_certificate true
tls_version tlsv1

The source code:

#include <stdio.h>
#include <string.h>
#include <sstream>
#include <iostream>

#include <QtCore/QCoreApplication>
#include <QtDBus/QtDBus>
#include <mosquitto.h>

#include "logicgateway_data.h"
#include "logicgateway_client.h"

using namespace std;


const char *data_out;

struct mosquitto *mosq = NULL;

// BEschreibung kommt
int LGW_Client::receive_data(QString in_basket) 
{
    data_out = in_basket.QString::toLatin1();
    cout << "Wert erhalten: " << data_out << endl;
    mosquitto_publish(mosq,0,LGW_TOPIC,strlen(data_out),data_out,0,true);
    return 0;    
}



int main (int argc, char **argv)
{
    // Verbindung mit der Qt-Dbus Session erstellen   
    QCoreApplication app(argc,argv);

    if(!QDBusConnection::sessionBus().isConnected()){
        fprintf(stderr,"Kann nicht mit D-Bus Session verbinden.\n"
                "Um sie zu starten, geben Sie bitte ein:\n"
                "\teval `dbus-launch --auto-syntax`\n");
        return 1;
    }


    // Mosquitto initialisieren

    mosquitto_lib_init();

    mosq = mosquitto_new(CID,false,NULL);

    if(!mosq)
    {
        printf("Nicht erstellt\n");
        return 1;
    }
    else
    {
        printf("Mosquitto erfolgreich verbunden!\n");
    }


    // TLS Anbindung
    if (LGW_PORT == 8883)
    {
        mosquitto_tls_opts_set(mosq,1,"tlsv1",NULL);
        mosquitto_tls_set(mosq,"ca.crt",NULL,"client.crt","client.key", NULL);

    }

    // Mosquitto Verbindung zum Broker erstellen
    if(mosquitto_connect(mosq,BROKER_ADRESS,LGW_PORT,60))
    {
        fprintf(stderr, "Fehler!\n");
        return 1;
    }
    else
    {
        printf("Laeuft!\n");
    }


    // DBus Service registrieren um Daten zu empfangen
    if(!QDBusConnection::sessionBus().registerService(SERVICE_NAME_CLIENT)) {
        fprintf(stderr, "%s\n", qPrintable(QDBusConnection::sessionBus().lastError().message()));
        exit(1);
    }

    printf ("LGW-Client: Gestartet...\n");
    LGW_Client lgwclient;
    QDBusConnection::sessionBus().registerObject("/",&lgwclient, QDBusConnection::ExportAllSlots);

    app.exec();    


    // Fehlerbehandlung und aufräumen
    //fprintf(stderr, "%s\n", qPrintable(QDBusConnection::sessionBus().lastError().message()));

    mosquitto_loop_forever(mosq, -1, 1); //Bin mir nicht sicher, ob ich das hier wegen der While-Schleife brauche

    mosquitto_destroy(mosq);
    mosquitto_lib_cleanup();

    return 1;
}

(Please be gentle regarding the code in general. I am a bloody beginner and fully aware, that there is much to improve. But at the moment i just want to get the TLS connection working)

Things that work:

  • Running the code with port 1883 (without TLS)
  • Running mosquitto_sub and mosquitto_pub with the ca.crt, client.crt and client.key I generated with generate-CA.sh and the information from the mosquitto documentation

I am pretty positive, it is just a tiny error and I am just too inexperienced to see it. Hope you can help.

Many thanks in advance!

Mathias

Mathias
  • 31
  • 1
  • 9
  • Good question with lots of details! – ralight Feb 10 '17 at 13:24
  • What version of openssl are you using? – ralight Feb 10 '17 at 13:51
  • The system was freshly build in January for me, I can only guess it was the latest or at least a very recent one. I've got no access to the system anymore since my internship ended today. If "maybe recently version" is too vague, please stick with me, I will try to get that information in three days. Oh, and thanks for your impressivly fast help! – Mathias Feb 10 '17 at 15:33
  • Well, my apologies, that where the longest three days I've ever had. But at least I can answer the question. An openssl version replied: OpenSSL 1.0.2j 26 Sep 2016 – Mathias Apr 04 '17 at 08:18

1 Answers1

0

You cannot connect to the MQTT broker via your application because you are probably using an IP Address to connect to it, as the BROKER_ADRESS variable would suggest. TLS expects the connection to be directed to the same CN (Common Name) as the one used in the generation step of the client.csr request file. If you use the broker hostname (werkstatt.logicway.net) instead of a plain address you should be able to connect to the device.

  • The CN (Common Name) should be the same as the server/broker hostname if no SAN extension is used.

I had the same issue and input from here https://openest.io/en/2020/01/03/mqtts-how-to-use-mqtt-with-tls/ help me out.

Falital
  • 177
  • 5
  • Using the proper Common Name was the issue for me as well. This fixed it. Spent a whole day working on this. – tiktak Apr 29 '22 at 16:42