mosquitto-users team mailing list archive

[Sharon Ben-Asher <Sharon.Ben-Asher@xxxxxxx>]

Hi Roger

I tried to test the connection with mosquitto_sub as you suggested.
When I invoked mosquitto_sub -t \$SYS/# -h <host> --cafile <file> --cert <file> --key <file>
I got the same "no certificate returned" error.

I upgraded to 1.0.4 and tried again: 
1) removed all SSL configuration and restarted the broker.
Now when I invoke 
mosquitto_sub -v -t \$SYS/#
it seems to be working fine.

2) added all SSL config, but with require_certificate false
Now when I invoke 
mosquitto_sub -d -v -t \$SYS/# --cafile etc/ca.crt
Client mosqsub/2360-ip-10-114- sending CONNECT
Error: The connection was lost.
and 
The mosquito process is gone !
The complete log file shows 
mosquitto version 1.0.4 (build date 2012-10-18 02:25:54+0000) starting
Opening ipv4 listen socket on port 1883.
Opening ipv6 listen socket on port 1883.
New connection from 127.0.0.1.

The relevant mosquito.conf lines look like this

# SSL listener
listener 1883
cafile /home/ubuntu/etc/ca.crt
certfile /home/ubuntu/etc/server.crt
keyfile /home/ubuntu/etc/server.key
require_certificate false
use_identity_as_username true
max_connections -1


-----Original Message-----
From: mosquitto-users-bounces+sharon.ben-asher=avg.com@xxxxxxxxxxxxxxxxxxx [mailto:mosquitto-users-bounces+sharon.ben-asher=avg.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Roger Light
Sent: Sunday, October 21, 2012 11:28 PM
To: mosquitto-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Mosquitto-users] SSL connection from Java client to mosquitto broker: "no certificate returned"

Dear Sharon,

> By the way, after tweaking kernel params, I was able to open 100K 
> concurrent clients to one broker instance on a medium sized EC2 
> machine.  Good work, mosquitto!

That's great to hear! Thanks for letting me know.

> Now I am trying to set up a secured connection using SSL.  I want to 
> authenticate the client using a client certificate.

...

> I figured that the CA certificate is used for the client to 
> authenticate the server, while the client key and certificate are used 
> for the server to authenticate the client.

Yes, exactly. If require_certificate is false it's the same principle as used in web browsers. Clients trust servers that have had their certificate signed by CAs that the client have the CA cert loaded. In web browsers there are typically a big list of CA certificates loaded of course, whereas there is no real need for that here (nothing to stop it of course). If require_certificate is true, the same thing happens in the opposite way as well - clients have to have certificates signed by the CA that the server trusts.


> So I here is what I did on the Java side:

That all sounds plausible, but I've got no real experience of Java so it's difficult to comment on the details I'm afraid.

> When I do the connect, I get the following error from mosquitto
>
> OpenSSL Error: error:140890B2:SSL 
> routines:SSL3_GET_CLIENT_CERTIFICATE:no
> certificate returned

That's the same error I'd expect (and get through some testing) if the client isn't sending a client certificate. Have you tested your client certificate/key with mosquitto_sub?

This should work:

mosquitto_sub -t \$SYS/# -h <host> --cafile <file> --cert <file> --key <file>

And this should reproduce the above error:

mosquitto_sub -t \$SYS/# -h <host> --cafile <file>


>       SSLContext context = SSLContext.getInstance("SSLv3");

You should note that as it stands mosquitto only allows the use of the
TLSv1 protocol so the above should fail. It ought to fail earlier on in the connection though, so I don't think it should contribute to your error. I presume you've patched to use SSLv3 instead. It should really be user configurable but as there isn't any need to be backwards compatible I didn't think allowing older versions was necessary.

Cheers,

Roger

--
Mailing list: https://launchpad.net/~mosquitto-users
Post to     : mosquitto-users@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~mosquitto-users
More help   : https://help.launchpad.net/ListHelp