setup
I'm trying to connect a Java client to a mosquitto MQTT broker using mutual TLS. The client and the broker are sitting on two separate virtual machines that are able to communicate with each other. I am attempting connection on port 8883. When I try to connect with self-signed PEM format certs, the connection is successfully made. However when I try to connect with certs generated by my company's internal CA, the connection does not happen with the one error message on the client and one on the broker. the certs are different on each side. each one was generated with the common name matching the vm it lives on and both generated from the same CA. As for the code, the socketFactory code is as follows,
socketFactory = SslUtil.getSocketFactory(Config.caFilePath,
Config.clientCrtFilePath,
Config.clientKeyFilePath,
Config.clientKeyPass);
The specific library used for connection is Paho.
client error message:
MqttException (0) - javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
broker:
1631135618: New connection from 1.1.1.1 on port 8883.
1631135618: OpenSSL Error[0]: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
1631135618: Socket error on client <unknown>, disconnecting.
1631135618: New connection from 1.1.1.1 on port 8883.
1631135618: OpenSSL Error[0]: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
1631135618: Socket error on client <unknown>, disconnecting.
I've been able to narrow the problem down to the broker (server) authenticating with the client. The way I did that is by running the client with the real certificates and a self signed CA while running the broker with the real CA and self signed certificates as outlined below.
all self-signed WORKS
| client | <-----> | broker |
|---|---|---|
| selfsigned crt | selfsigned crt | |
| selfsigned key | selfsigned key | |
| selfsigned ca | selfsigned ca |
client real certs and broker self-signed WORKS
| client | <-----> | broker |
|---|---|---|
| real crt | selfsigned crt | |
| real key | selfsigned key | |
| selfsigned ca | real ca |
all real certs DOESN'T WORK
| client | <-----> | broker |
|---|---|---|
| real crt | real crt | |
| real key | real key | |
| real ca | real ca |
cert verification I have checked to see that the certs are configured correctly.
- their common names are the same as the hostname of the vm they run on
- the cert is accepted by the CA
wireshark packet capture I performed a packet capture of a connection using self-signed certs and one using real certs. They differ in the way the certificate is read. In the self sign cert capture the order is Client Hello sent then Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done sent in 1 reply. in the real cert capture, the order is Client Hello sent, then Server Hello sent and then Certificate, Server Key Exchange, Certificate Request, Server Hello Done. the Server Hello is sent alone and the bytes indicate that the cert value is contained in this packet but not recognized as such. it seems that the server hello is erroneously containing the cert value.
I have run out of options I can think of. Any ideas would welcomed!
