mosquitto-users team mailing list archive

Thread
Date

Re: Mosquitto SSL with a CA Certificates Chain and Fedora Segfault

To: Duncan Stokes <duncan.stokes@xxxxxxxxxxxxx>
From: Roger Light <roger@xxxxxxxxxx>
Date: Thu, 22 Aug 2013 09:45:10 +0100
Cc: "mosquitto-users@xxxxxxxxxxxxxxxxxxx" <mosquitto-users@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <52159210.1060503@eyemagnet.com>
Sender: rogerlight@xxxxxxxxx

Hi Duncan,

Thanks for the detailed email. First off, I can say that this should
work. The broker and client library tests for SSL use a
root->intermediate->server/client chain for signing. I suppose that's
a good place to start - if you download the 1.2 tarball and run "make
test" in the extracted directory, does it segfault? The test don't use
mosquitto_pub/sub themselves so doesn't exactly match your case, but
it's a good start.

> Firstly, there is a error in the mosquitto.conf manpage.  The c_rehash
> only functions if the CA certs are .pem not .crt files.

Thanks, I've fixed that.

> Error #2 - intermediary CA certificate supplied:
> [tester@f19-client ~]$ mosquitto_pub -i mosq_pub_dunc -h
> server1.stokesnz.net -p 8883 -t test/msg/2 -m "Splat 14 q2" -d -r -q 2
> --tls-version tlsv1.2 --cafile PositiveSSLCA2.crt
> Client mosq_pub_dunc sending CONNECT
> OpenSSL Error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Error: Protocol error

This is also anticipated, you should pass (and should only need to
pass) the root CA certificate. The server should provide the other
certificates in the chain.

> Error #3 - primary CA certificate supplied (or a file with both
> intermediary and primary CA certs present):
> [tester@f19-client ~]$ mosquitto_pub -i mosq_pub_dunc -h
> server1.stokesnz.net -p 8883 -t test/msg/2 -m "Test to 8883 q2 #1" -d -r
> -q 2 --tls-version tlsv1.2 --cafile AddTrustExternalCARoot.crt
> Client mosq_pub_dunc sending CONNECT
> Segmentation fault (core dumped)

This is bad, obviously.

I'll try and reproduce this myself on Fedora, but it might be a few
days because I've got a work deadline on Monday and am working all
hours.

> Thoughts!?  Whilst I'm happy enough to use self-signed SSL certificates
> I thought it wise to air this issue as CA certificate chains are
> becoming more and more prevalent.

Agreed, it should definitely work with chains. It definitely shouldn't
segfault, either way!

Cheers,

Roger

Follow ups

Re: Mosquitto SSL with a CA Certificates Chain and Fedora Segfault
From: Duncan Stokes, 2013-08-22

References

Mosquitto SSL with a CA Certificates Chain and Fedora Segfault
From: Duncan Stokes, 2013-08-22