Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
557 views
in Technique[技术] by (71.8m points)

mosquitto MQTT broker and Java client with SSL / TLS

I'm using mosquitto and the Eclipse PAHO Java client.

Everything is working fine on plain TCP sockets. but now I want to use SSL for athentication (encryption not necessarily needed).

first I followed the instructions from http://mosquitto.org/man/mosquitto-tls-7.html

in mosquitto client I can not publish my message without the --insecure option, means i have to

mosquitto_pub -h <server-ip> -p <port> -t "/topic1/test" -m "testmsg" --cafile ca_cert.pem --cert client.crt --key client_priv.key --tls-version tlsv1.2 --insecure

otherwise an protocol error appears on the mosquitto console, which says

1379576698: OpenSSL Error: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
1379576698: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1379576698: Socket read error on client (null), disconnecting.

-- insecure means not to check that the server certificate hostname matches the remote hostname.

little bit strange for me is that I'm trying to TLSbut the broker responds something with SSL.

however I am trying to enable SSL support in my java paho client, i stick to the example here: https://gist.github.com/sharonbn/4104301

as you can see in the example I do an

SSLContext context = SSLContext.getInstance("TLSv1")

so does it mean I am trying to connect with TLSv1, right? unfortunately i get an

javax.net.ssl.SSLHandshakeException: message_unknown

I tried to switch to TLSv1.2 (because it has been working for me with mosquitto_pub) and changed the context by

SSLContext context = SSLContext.getInstance("TLSv1.2")

but then i get an

NoSuchAlgorithmException: Unknown protocol: TLSv1.2

i don't know on which side this should be unknown...

btw: if i do

mosquitto_pub -h <server-ip> -p <port> -t "/topic1/test" -m "testmsg" --cafile ca_cert.pem --cert client.crt --key client_priv.key --tls-version tlsv1 --insecure

the result is

1379595808: OpenSSL Error: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
1379595808: Socket read error on client (null), disconnecting.

the same if i try it out of my java client

1379595995: OpenSSL Error: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
1379595995: Socket read error on client (null), disconnecting.

so i think i have to use/enable tlsv1.2 on the java client side. but how?

anybody out there who can help me? Thanks a lot in advance! peace

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

There are a couple of points here.

First things first, you should look at generating the correct certificates. As the documentation says, --insecure should not be used in production so it's worth focusing on that. The examples in mosquitto-tls are very basic. If you follow that procedure you must set the commonName of your server certificate to match the hostname of the server. If you are doing testing on your local computer, use commonName=localhost. I can't stress enough that using --insecure makes using TLS basically pointless. A much better way of creating a certificate is to add some subjectAltName entries to define which hostnames and/or ip addresses are valid for that certificate. An example of generating certificates with this feature is given in https://github.com/binarybucks/mqttitude/blob/master/tools/TLS/generate-CA.sh Note that you will need mosquitto 1.2.1 for this to work properly.

Moving on to the TLS version issue. It sounds very much like your JRE doesn't support TLSv1.2. According to this question you need at least IBM JRE 6/7 or Oracle JRE/OpenJDK 7 for TLSv1.2. Try using TLSv1 everywhere to ensure that your Java code doesn't have a problem somewhere else. You can configure mosquitto to use TLSv1 by using the option tls_version tlsv1 in your config file, right where you define the server certificates.

The terms TLS and SSL are often used interchangeably. SSL shouldn't really be used any more, except when referring to old protocol versions, but it has stuck and when people say SSL they often mean TLS.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...