mosquitto-users team mailing list archive

[Aidan Gill <aidang@xxxxxxxxx>]

Ah right, thanks for that, it's not quite clear in the docs that the SSL
options are per listener.

Putting tls_version along with the SSL options for the external listener
seems to have solved the issue - and that explains why before some clients
were able to connect without SSL - the options were in the wrong place in
the config file.

This config seems to have fixed things:

# EXTERNAL LISTENER (requires SSL)
listener 5228 external_ip_address_here

cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
tls_version tlsv1
ciphers AES128-SHA
require_certificate true

# INTERNAL LISTENER (no SSL required)
listener 5228 127.0.0.1

The error:

'1380501912: OpenSSL Error: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number'

Seems to come up when non-SSL enabled clients try to connect.

Regards
Aidan



On 30 September 2013 12:55, Darren Clark <dclark@xxxxxxxxxxxxx> wrote:

> When I was fighting with these issues I was able to figure out the
> problem(in my was it was setting that configuration value) by first making
> sure I could connect with just using OpenSSL with debugging options rather
> than any MQTT client. Also remember that the tls_version configuration is
> per listener, and won't be reloaded on a signal.
>
> -Darren
>
>
> On Sun, Sep 29, 2013 at 4:41 PM, Aidan Gill <aidang@xxxxxxxxx> wrote:
>
>> Thanks for that,
>>
>> I've added tls_version tlsv1 to the configs now (the mosquitto.conf docs
>> might need to be updated with that option)
>>
>> That said, it's still happening - and it's still allowing non SSL
>> connections. With the following log none of the clients have SSL set up
>> (using the Java Paho client):
>>
>> 1380497188: New connection from 127.0.0.1 on port 5228.
>> 1380497188: OpenSSL Error: error:1408F10B:SSL
>> routines:SSL3_GET_RECORD:wrong version number
>> 1380497188: Socket read error on client (null), disconnecting.
>> 1380497211: New connection from 111.65.227.102 on port 5228.
>> 1380497211: New client connected from 111.65.227.102 as
>> test.1380497211388 (c1, k60).
>> 1380497211: Sending CONNACK to test.1380497211388 (0)
>> 1380497211: Received SUBSCRIBE from test.1380497211388
>> 1380497211:     $SYS/broker/clients/active (QoS 1)
>> 1380497211: test.1380497211388 1 $SYS/broker/clients/active
>> 1380497211:     $SYS/broker/messages/inflight (QoS 1)
>> 1380497211: test.1380497211388 1 $SYS/broker/messages/inflight
>> 1380497211: Sending SUBACK to test.1380497211388
>> 1380497211: Sending PUBLISH to test.1380497211388 (d0, q1, r1, m1,
>> '$SYS/broker/clients/active', ... (1 bytes))
>> 1380497211: Received PUBACK from test.1380497211388 (Mid: 1)
>> 1380497211: Received DISCONNECT from test.1380497211388
>> 1380497230: Received PUBLISH from htcuser.pokGD (d0, q1, r0, m7, 'ping',
>> ... (1 bytes))
>> 1380497230: Sending PUBACK to htcuser.pokGD (Mid: 7)
>>
>> Regards
>> Aidan
>>
>>
>> On 30 September 2013 10:53, Roger Light <roger@xxxxxxxxxx> wrote:
>>
>>> Hi Aidan,
>>>
>>> On the broker configuration you can control the tls version using
>>> "tls_version" for a listener, or "bridge_tls_version" for a bridge.
>>> Clients can configure the tls version using the
>>> mosquitto_tls_opts_set() function. The mosquitto_sub/pub clients allow
>>> you to do this with --tls-version.
>>>
>>> Cheers,
>>>
>>> Roger
>>>
>>>
>>> On Sun, Sep 29, 2013 at 2:37 PM, Aidan Gill <aidang@xxxxxxxxx> wrote:
>>> > That would make sense, as OpenSSL 1.0.0 doesn't support TLS v1.1 or
>>> v1.2 -
>>> > unfortunately being CentOS it's not easy to upgrade, and there doesn't
>>> seem
>>> > to be an option in mosquitto to choose which TLS to use.
>>> >
>>> > Regards
>>> > Aidan
>>> >
>>> >
>>> > On 30 September 2013 02:15, Karl P <karlp@xxxxxxxxxxxx> wrote:
>>> >>
>>> >>
>>> >> This is probably tls version mismatches.  1.2.1 ships as tlsv1.2 by
>>> >> default, previous versions were tlsv1
>>> >>
>>> >> Cheers,
>>> >> Karl P
>>> >>
>>> >>
>>> >>
>>> >> On 09/29/2013 01:07 PM, Aidan Gill wrote:
>>> >>>
>>> >>> I want to enable SSL connections for Mosquitto, but it's producing a
>>> >>> random
>>> >>> OpenSSL error - I've used my standard ca/server certificates with no
>>> >>> luck, and
>>> >>> have regenerated more based on the docs with no change.
>>> >>>
>>> >>> The config is pretty standard:
>>> >>>
>>> >>>
>>> >>> listener 5228 ip_address_here
>>> >>>
>>> >>> retry_interval 3
>>> >>> user mosquitto
>>> >>>
>>> >>> max_inflight_messages 20
>>> >>> max_queued_messages 200
>>> >>>
>>> >>> persistent_client_expiration 1d
>>> >>>
>>> >>> log_dest stdout
>>> >>> log_type error warning
>>> >>>
>>> >>> connection_messages true
>>> >>> allow_anonymous false
>>> >>>
>>> >>> password_file /etc/mosquitto/pass
>>> >>> acl_file /etc/mosquitto/acl
>>> >>>
>>> >>> # SSL AUTH
>>> >>> capath /etc/mosquitto/certs/
>>> >>> cafile /etc/mosquitto/certs/ca.crt
>>> >>> certfile /etc/mosquitto/certs/server.crt
>>> >>> keyfile /etc/mosquitto/certs/server.key
>>> >>> ciphers AES128-SHA
>>> >>> require_certificate true
>>> >>>
>>> >>>
>>> >>> Mosquitto starts up yet continues to accept non-SSL connections, and
>>> an
>>> >>> OpenSSL
>>> >>> error message is printed to the logs:
>>> >>>
>>> >>> 'OpenSSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
>>> version
>>> >>> number'
>>> >>>
>>> >>> 1380459817: mosquitto version 1.2.1 (build date 2013-09-18
>>> 21:34:45+0000)
>>> >>> starting
>>> >>> 1380459817: Config loaded from /etc/mosquitto/mosquitto.conf.
>>> >>> 1380459817: Opening ipv4 listen socket on port 5228.
>>> >>> 1380459817: Opening ipv4 listen socket on port 5228.
>>> >>> 1380459817: New connection from 127.0.0.1 on port 5228.
>>> >>> 1380459817: OpenSSL Error: error:1408F10B:SSL
>>> >>> routines:SSL3_GET_RECORD:wrong
>>> >>> version number
>>> >>> 1380459817: Socket read error on client (null), disconnecting.
>>> >>> 1380459827: New connection from 103.247.154.103 on port 5228.
>>> >>> 1380459827: New client connected from 103.247.154.103 as
>>> htcuser.6MhAE
>>> >>> (c0, k600).
>>> >>> 1380459829: New connection from 127.0.0.1 on port 5228.
>>> >>> 1380459829: OpenSSL Error: error:1408F10B:SSL
>>> >>> routines:SSL3_GET_RECORD:wrong
>>> >>> version number
>>> >>> 1380459829: Socket read error on client (null), disconnecting.
>>> >>> 1380459841: New connection from 127.0.0.1 on port 5228.
>>> >>> 1380459841: OpenSSL Error: error:1408F10B:SSL
>>> >>> routines:SSL3_GET_RECORD:wrong
>>> >>> version number
>>> >>> 1380459841: Socket read error on client (null), disconnecting.
>>> >>> 1380459853: New connection from 127.0.0.1 on port 5228.
>>> >>> 1380459853: OpenSSL Error: error:1408F10B:SSL
>>> >>> routines:SSL3_GET_RECORD:wrong
>>> >>> version number
>>> >>> 1380459853: Socket read error on client (null), disconnecting.
>>> >>>
>>> >>>
>>> >>> Google isn't particularly helpful here - any ideas? For the record
>>> I'm
>>> >>> running
>>> >>> on Centos 6.3, OpenSSL 1.0.0-fips 29 Mar 2010, Mosquitto 1.2.1
>>> >>>
>>> >>> Regards
>>> >>> -Aidan
>>> >>>
>>> >>>
>>> >>
>>> >> --
>>> >> Mailing list: https://launchpad.net/~mosquitto-users
>>> >> Post to     : mosquitto-users@xxxxxxxxxxxxxxxxxxx
>>> >> Unsubscribe : https://launchpad.net/~mosquitto-users
>>> >> More help   : https://help.launchpad.net/ListHelp
>>> >
>>> >
>>> >
>>> > --
>>> > Mailing list: https://launchpad.net/~mosquitto-users
>>> > Post to     : mosquitto-users@xxxxxxxxxxxxxxxxxxx
>>> > Unsubscribe : https://launchpad.net/~mosquitto-users
>>> > More help   : https://help.launchpad.net/ListHelp
>>> >
>>>
>>
>>
>> --
>> Mailing list: https://launchpad.net/~mosquitto-users
>> Post to     : mosquitto-users@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~mosquitto-users
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>