mosquitto-users team mailing list archive

Thread
Date

Re: OpenSSL Error on enabling SSL connections

To: Aidan Gill <aidang@xxxxxxxxx>
From: Darren Clark <dclark@xxxxxxxxxxxxx>
Date: Sun, 29 Sep 2013 16:55:37 -0700
Cc: mosquitto-users@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CAPfPhmFhco4uqprfK8XPJ7Sviv10ZM0mN-3=eh5YORnd-Zd6CA@mail.gmail.com>

When I was fighting with these issues I was able to figure out the
problem(in my was it was setting that configuration value) by first making
sure I could connect with just using OpenSSL with debugging options rather
than any MQTT client. Also remember that the tls_version configuration is
per listener, and won't be reloaded on a signal.

-Darren


On Sun, Sep 29, 2013 at 4:41 PM, Aidan Gill <aidang@xxxxxxxxx> wrote:

> Thanks for that,
>
> I've added tls_version tlsv1 to the configs now (the mosquitto.conf docs
> might need to be updated with that option)
>
> That said, it's still happening - and it's still allowing non SSL
> connections. With the following log none of the clients have SSL set up
> (using the Java Paho client):
>
> 1380497188: New connection from 127.0.0.1 on port 5228.
> 1380497188: OpenSSL Error: error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version number
> 1380497188: Socket read error on client (null), disconnecting.
> 1380497211: New connection from 111.65.227.102 on port 5228.
> 1380497211: New client connected from 111.65.227.102 as test.1380497211388
> (c1, k60).
> 1380497211: Sending CONNACK to test.1380497211388 (0)
> 1380497211: Received SUBSCRIBE from test.1380497211388
> 1380497211:     $SYS/broker/clients/active (QoS 1)
> 1380497211: test.1380497211388 1 $SYS/broker/clients/active
> 1380497211:     $SYS/broker/messages/inflight (QoS 1)
> 1380497211: test.1380497211388 1 $SYS/broker/messages/inflight
> 1380497211: Sending SUBACK to test.1380497211388
> 1380497211: Sending PUBLISH to test.1380497211388 (d0, q1, r1, m1,
> '$SYS/broker/clients/active', ... (1 bytes))
> 1380497211: Received PUBACK from test.1380497211388 (Mid: 1)
> 1380497211: Received DISCONNECT from test.1380497211388
> 1380497230: Received PUBLISH from htcuser.pokGD (d0, q1, r0, m7, 'ping',
> ... (1 bytes))
> 1380497230: Sending PUBACK to htcuser.pokGD (Mid: 7)
>
> Regards
> Aidan
>
>
> On 30 September 2013 10:53, Roger Light <roger@xxxxxxxxxx> wrote:
>
>> Hi Aidan,
>>
>> On the broker configuration you can control the tls version using
>> "tls_version" for a listener, or "bridge_tls_version" for a bridge.
>> Clients can configure the tls version using the
>> mosquitto_tls_opts_set() function. The mosquitto_sub/pub clients allow
>> you to do this with --tls-version.
>>
>> Cheers,
>>
>> Roger
>>
>>
>> On Sun, Sep 29, 2013 at 2:37 PM, Aidan Gill <aidang@xxxxxxxxx> wrote:
>> > That would make sense, as OpenSSL 1.0.0 doesn't support TLS v1.1 or
>> v1.2 -
>> > unfortunately being CentOS it's not easy to upgrade, and there doesn't
>> seem
>> > to be an option in mosquitto to choose which TLS to use.
>> >
>> > Regards
>> > Aidan
>> >
>> >
>> > On 30 September 2013 02:15, Karl P <karlp@xxxxxxxxxxxx> wrote:
>> >>
>> >>
>> >> This is probably tls version mismatches.  1.2.1 ships as tlsv1.2 by
>> >> default, previous versions were tlsv1
>> >>
>> >> Cheers,
>> >> Karl P
>> >>
>> >>
>> >>
>> >> On 09/29/2013 01:07 PM, Aidan Gill wrote:
>> >>>
>> >>> I want to enable SSL connections for Mosquitto, but it's producing a
>> >>> random
>> >>> OpenSSL error - I've used my standard ca/server certificates with no
>> >>> luck, and
>> >>> have regenerated more based on the docs with no change.
>> >>>
>> >>> The config is pretty standard:
>> >>>
>> >>>
>> >>> listener 5228 ip_address_here
>> >>>
>> >>> retry_interval 3
>> >>> user mosquitto
>> >>>
>> >>> max_inflight_messages 20
>> >>> max_queued_messages 200
>> >>>
>> >>> persistent_client_expiration 1d
>> >>>
>> >>> log_dest stdout
>> >>> log_type error warning
>> >>>
>> >>> connection_messages true
>> >>> allow_anonymous false
>> >>>
>> >>> password_file /etc/mosquitto/pass
>> >>> acl_file /etc/mosquitto/acl
>> >>>
>> >>> # SSL AUTH
>> >>> capath /etc/mosquitto/certs/
>> >>> cafile /etc/mosquitto/certs/ca.crt
>> >>> certfile /etc/mosquitto/certs/server.crt
>> >>> keyfile /etc/mosquitto/certs/server.key
>> >>> ciphers AES128-SHA
>> >>> require_certificate true
>> >>>
>> >>>
>> >>> Mosquitto starts up yet continues to accept non-SSL connections, and
>> an
>> >>> OpenSSL
>> >>> error message is printed to the logs:
>> >>>
>> >>> 'OpenSSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
>> version
>> >>> number'
>> >>>
>> >>> 1380459817: mosquitto version 1.2.1 (build date 2013-09-18
>> 21:34:45+0000)
>> >>> starting
>> >>> 1380459817: Config loaded from /etc/mosquitto/mosquitto.conf.
>> >>> 1380459817: Opening ipv4 listen socket on port 5228.
>> >>> 1380459817: Opening ipv4 listen socket on port 5228.
>> >>> 1380459817: New connection from 127.0.0.1 on port 5228.
>> >>> 1380459817: OpenSSL Error: error:1408F10B:SSL
>> >>> routines:SSL3_GET_RECORD:wrong
>> >>> version number
>> >>> 1380459817: Socket read error on client (null), disconnecting.
>> >>> 1380459827: New connection from 103.247.154.103 on port 5228.
>> >>> 1380459827: New client connected from 103.247.154.103 as htcuser.6MhAE
>> >>> (c0, k600).
>> >>> 1380459829: New connection from 127.0.0.1 on port 5228.
>> >>> 1380459829: OpenSSL Error: error:1408F10B:SSL
>> >>> routines:SSL3_GET_RECORD:wrong
>> >>> version number
>> >>> 1380459829: Socket read error on client (null), disconnecting.
>> >>> 1380459841: New connection from 127.0.0.1 on port 5228.
>> >>> 1380459841: OpenSSL Error: error:1408F10B:SSL
>> >>> routines:SSL3_GET_RECORD:wrong
>> >>> version number
>> >>> 1380459841: Socket read error on client (null), disconnecting.
>> >>> 1380459853: New connection from 127.0.0.1 on port 5228.
>> >>> 1380459853: OpenSSL Error: error:1408F10B:SSL
>> >>> routines:SSL3_GET_RECORD:wrong
>> >>> version number
>> >>> 1380459853: Socket read error on client (null), disconnecting.
>> >>>
>> >>>
>> >>> Google isn't particularly helpful here - any ideas? For the record I'm
>> >>> running
>> >>> on Centos 6.3, OpenSSL 1.0.0-fips 29 Mar 2010, Mosquitto 1.2.1
>> >>>
>> >>> Regards
>> >>> -Aidan
>> >>>
>> >>>
>> >>
>> >> --
>> >> Mailing list: https://launchpad.net/~mosquitto-users
>> >> Post to     : mosquitto-users@xxxxxxxxxxxxxxxxxxx
>> >> Unsubscribe : https://launchpad.net/~mosquitto-users
>> >> More help   : https://help.launchpad.net/ListHelp
>> >
>> >
>> >
>> > --
>> > Mailing list: https://launchpad.net/~mosquitto-users
>> > Post to     : mosquitto-users@xxxxxxxxxxxxxxxxxxx
>> > Unsubscribe : https://launchpad.net/~mosquitto-users
>> > More help   : https://help.launchpad.net/ListHelp
>> >
>>
>
>
> --
> Mailing list: https://launchpad.net/~mosquitto-users
> Post to     : mosquitto-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~mosquitto-users
> More help   : https://help.launchpad.net/ListHelp
>
>

Follow ups

Re: OpenSSL Error on enabling SSL connections
From: Aidan Gill, 2013-09-30

References

OpenSSL Error on enabling SSL connections
From: Aidan Gill, 2013-09-29
Re: OpenSSL Error on enabling SSL connections
From: Karl P, 2013-09-29
Re: OpenSSL Error on enabling SSL connections
From: Aidan Gill, 2013-09-29
Re: OpenSSL Error on enabling SSL connections
From: Roger Light, 2013-09-29
Re: OpenSSL Error on enabling SSL connections
From: Aidan Gill, 2013-09-29