mosquitto-users team mailing list archive

Thread
Date
Mosquitto SSL with a CA Certificates Chain and Fedora Segfault

To: mosquitto-users@xxxxxxxxxxxxxxxxxxx
From: Duncan Stokes <duncan.stokes@xxxxxxxxxxxxx>
Date: Thu, 22 Aug 2013 16:22:40 +1200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130805 Thunderbird/17.0.8
Hi folks, one long-winded post to follow.

I'm having an issue using a non-self signed SSL server certificate than
has a CA certificate chain with Mosquitto 1.2 (1.2-6.1.x86_64) on Fedora
19 (installed via yum using the home_oojah_mqtt repo).

Firstly, there is a error in the mosquitto.conf manpage.  The c_rehash
only functions if the CA certs are .pem not .crt files.  Once I got past
that I was able to get the server started and listening on MQTT SSL
assigned 8883/tcp port without issue.  I can verify that the all is OK
with the SSL listener using openssl s_client.  Not only does it reply
with a verify return code: 0 (OK) it also confirms that TLS v1.2 is
available in the SSL-Session information:
[tester@f19-client ~]$ openssl s_client -connect server1.stokesnz.net:8883
depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN
= AddTrust External CA Root
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA
Limited, CN = PositiveSSL CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
server1.stokesnz.net
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=server1.stokesnz.net
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=PositiveSSL CA 2
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=PositiveSSL CA 2
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
...
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
...
SSL-Session:
    Protocol  : TLSv1.2
...
    Verify return code: 0 (ok)
...

However, the mosquitto client software will not connect successfully
with a number of error messages.

Error #1 - no CA information supplied (anticipated as this also is the
same behaviour for a known good listener) - command timesout without error:
[tester@f19-client ~]$ mosquitto_pub -i mosq_pub_dunc -h
server1.stokesnz.net -p 8883 -t test/msg/2 -m "Splat 14 q2" -d -r -q 2
--tls-version tlsv1.2
Client mosq_pub_dunc sending CONNECT

Error #2 - intermediary CA certificate supplied:
[tester@f19-client ~]$ mosquitto_pub -i mosq_pub_dunc -h
server1.stokesnz.net -p 8883 -t test/msg/2 -m "Splat 14 q2" -d -r -q 2
--tls-version tlsv1.2 --cafile PositiveSSLCA2.crt
Client mosq_pub_dunc sending CONNECT
OpenSSL Error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Error: Protocol error

Error #3 - primary CA certificate supplied (or a file with both
intermediary and primary CA certs present):
[tester@f19-client ~]$ mosquitto_pub -i mosq_pub_dunc -h
server1.stokesnz.net -p 8883 -t test/msg/2 -m "Test to 8883 q2 #1" -d -r
-q 2 --tls-version tlsv1.2 --cafile AddTrustExternalCARoot.crt
Client mosq_pub_dunc sending CONNECT
Segmentation fault (core dumped)

Error #4 - capath used with both CA certs in pem format with c_rehash
performed:
[tester@f19-client ~]$ mosquitto_pub -i mosq_pub_dunc -h
server1.stokesnz.net -p 8883 -t test/msg/2 -m "Splat 14 q2" -d -r -q 2
--tls-version tlsv1.2 --capath /home/tester/mqtt_certs/
Client mosq_pub_dunc sending CONNECT
Segmentation fault (core dumped)

For reference, I'm comfortable that the configuration is fine, as I've
created a MQTT SSL 8884/tcp listener using a self created CA and a self
signed server certificate:
[tester@f19-client ~]$ mosquitto_pub -i mosq_pub_dunc -h
server1.stokesnz.net -p 8884 -t test/msg/2 -m "Test to 8884 q2 #1" -d -r
-q 2 --tls-version tlsv1.2 --cafile StokesNZ.net.testCA.crt
Client mosq_pub_dunc sending CONNECT
Client mosq_pub_dunc received CONNACK
Client mosq_pub_dunc sending PUBLISH (d0, q2, r1, m1, 'test/msg/2', ...
(18 bytes))
Client mosq_pub_dunc received PUBREC (Mid: 1)
Client mosq_pub_dunc sending PUBREL (Mid: 1)
Client mosq_pub_dunc received PUBCOMP (Mid: 1)
Client mosq_pub_dunc sending DISCONNECT

Using mosquitto_sub produces exactly the same errors.

Apologies in advance but I don't have access to a non-self signed
certificate that does not have a CA certificate chain but I assume
others have it working in a single CA certificate configuration.

Thoughts!?  Whilst I'm happy enough to use self-signed SSL certificates
I thought it wise to air this issue as CA certificate chains are
becoming more and more prevalent.

Regards,
Duncan.
Follow ups

Re: Mosquitto SSL with a CA Certificates Chain and Fedora Segfault
From: Roger Light, 2013-08-22