mosquitto-users team mailing list archive

[Roger Light <roger@xxxxxxxxxx>]

Hi Aidan,

On the broker configuration you can control the tls version using
"tls_version" for a listener, or "bridge_tls_version" for a bridge.
Clients can configure the tls version using the
mosquitto_tls_opts_set() function. The mosquitto_sub/pub clients allow
you to do this with --tls-version.

Cheers,

Roger


On Sun, Sep 29, 2013 at 2:37 PM, Aidan Gill <aidang@xxxxxxxxx> wrote:
> That would make sense, as OpenSSL 1.0.0 doesn't support TLS v1.1 or v1.2 -
> unfortunately being CentOS it's not easy to upgrade, and there doesn't seem
> to be an option in mosquitto to choose which TLS to use.
>
> Regards
> Aidan
>
>
> On 30 September 2013 02:15, Karl P <karlp@xxxxxxxxxxxx> wrote:
>>
>>
>> This is probably tls version mismatches.  1.2.1 ships as tlsv1.2 by
>> default, previous versions were tlsv1
>>
>> Cheers,
>> Karl P
>>
>>
>>
>> On 09/29/2013 01:07 PM, Aidan Gill wrote:
>>>
>>> I want to enable SSL connections for Mosquitto, but it's producing a
>>> random
>>> OpenSSL error - I've used my standard ca/server certificates with no
>>> luck, and
>>> have regenerated more based on the docs with no change.
>>>
>>> The config is pretty standard:
>>>
>>>
>>> listener 5228 ip_address_here
>>>
>>> retry_interval 3
>>> user mosquitto
>>>
>>> max_inflight_messages 20
>>> max_queued_messages 200
>>>
>>> persistent_client_expiration 1d
>>>
>>> log_dest stdout
>>> log_type error warning
>>>
>>> connection_messages true
>>> allow_anonymous false
>>>
>>> password_file /etc/mosquitto/pass
>>> acl_file /etc/mosquitto/acl
>>>
>>> # SSL AUTH
>>> capath /etc/mosquitto/certs/
>>> cafile /etc/mosquitto/certs/ca.crt
>>> certfile /etc/mosquitto/certs/server.crt
>>> keyfile /etc/mosquitto/certs/server.key
>>> ciphers AES128-SHA
>>> require_certificate true
>>>
>>>
>>> Mosquitto starts up yet continues to accept non-SSL connections, and an
>>> OpenSSL
>>> error message is printed to the logs:
>>>
>>> 'OpenSSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
>>> number'
>>>
>>> 1380459817: mosquitto version 1.2.1 (build date 2013-09-18 21:34:45+0000)
>>> starting
>>> 1380459817: Config loaded from /etc/mosquitto/mosquitto.conf.
>>> 1380459817: Opening ipv4 listen socket on port 5228.
>>> 1380459817: Opening ipv4 listen socket on port 5228.
>>> 1380459817: New connection from 127.0.0.1 on port 5228.
>>> 1380459817: OpenSSL Error: error:1408F10B:SSL
>>> routines:SSL3_GET_RECORD:wrong
>>> version number
>>> 1380459817: Socket read error on client (null), disconnecting.
>>> 1380459827: New connection from 103.247.154.103 on port 5228.
>>> 1380459827: New client connected from 103.247.154.103 as htcuser.6MhAE
>>> (c0, k600).
>>> 1380459829: New connection from 127.0.0.1 on port 5228.
>>> 1380459829: OpenSSL Error: error:1408F10B:SSL
>>> routines:SSL3_GET_RECORD:wrong
>>> version number
>>> 1380459829: Socket read error on client (null), disconnecting.
>>> 1380459841: New connection from 127.0.0.1 on port 5228.
>>> 1380459841: OpenSSL Error: error:1408F10B:SSL
>>> routines:SSL3_GET_RECORD:wrong
>>> version number
>>> 1380459841: Socket read error on client (null), disconnecting.
>>> 1380459853: New connection from 127.0.0.1 on port 5228.
>>> 1380459853: OpenSSL Error: error:1408F10B:SSL
>>> routines:SSL3_GET_RECORD:wrong
>>> version number
>>> 1380459853: Socket read error on client (null), disconnecting.
>>>
>>>
>>> Google isn't particularly helpful here - any ideas? For the record I'm
>>> running
>>> on Centos 6.3, OpenSSL 1.0.0-fips 29 Mar 2010, Mosquitto 1.2.1
>>>
>>> Regards
>>> -Aidan
>>>
>>>
>>
>> --
>> Mailing list: https://launchpad.net/~mosquitto-users
>> Post to     : mosquitto-users@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~mosquitto-users
>> More help   : https://help.launchpad.net/ListHelp
>
>
>
> --
> Mailing list: https://launchpad.net/~mosquitto-users
> Post to     : mosquitto-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~mosquitto-users
> More help   : https://help.launchpad.net/ListHelp
>