Gemalto is now part of the Thales Group, find out more.

You are here

MQTT TLS error on EXS82-W | Thales IoT Developer Community

April 22, 2021 - 4:46pm, 3882 views

I have configured a Mosquitto server on my local machine:

mosquitto -h
mosquitto version 2.0.10

mosquitto is an MQTT v5.0/v3.1.1/v3.1 broker.

Usage: mosquitto [-c config_file] [-d] [-h] [-p port]

 -c : specify the broker config file.
 -d : put the broker into the background after starting.
 -h : display this help.
 -p : start the broker listening on the specified port.
      Not recommended in conjunction with the -c option.
 -v : verbose **** - enable all logging types. This overrides
      any logging options given in the config file.

See https://mosquitto.org/ for more information.

Here is the configuration file I am using:

allow_anonymous false
listener 8883 0.0.0.0

cafile   /home/user/CERTS/ca.crt
certfile /home/user/CERTS/server.crt
keyfile  /home/user/CERTS/server.key

tls_version tlsv1.2

require_certificate true
use_identity_as_username true

I am trying to use the MQTT with TLS, and with this configuration, I am able to subscribe and publish like this:

mosquitto_sub --cafile ca.crt -h AAAA.BBBB.CCCC.DDDD -t "mqtttest" -p 8883 -d --cert client.crt --key client.key


mosquitto_pub -h AAAA.BBBB.CCCC.DDDD -t "mqtttest" -m "***** world!" -p 8883 -d --cert client.crt --key client.key --cafile ca.crt

Obs.: AAAA.BBBB.CCCC.DDDD is just to hide my public IP, but I have already tested that my Mosquitto is accessible in an outside network (my IP is publicly accessible).

Up to this point, everything is working as I expected, where I can connect locally and outside my network.

The problem is when I try to connect it with a Cinterion module, which supports specification OASIS MQTT Version 3.1.1.

Also, the Cinterion module EXS82-W is using TLS version 1.2, which is the same as the Mosquitto.

However, when I try to connect the Cinterion module I get this error:

1619097715: New connection from AAAA.BBBB.CCCC.DDDD:1234 on port 8883.
1619097717: OpenSSL Error[0]: error:141A20F4:SSL routines:ossl_statem_server_read_transition:unexpected message
1619097717: Client <unknown> disconnected: Protocol error.

I do not know what is wrong here.

 

If I comment from the config file these two attributes:

# require_certificate true
# use_identity_as_username true

Then clients do not connect anymore, and I get this error (when trying to connect via mosquitto_sub):

mosquitto_sub --cafile ca.crt -h AAAA.BBBB.CCCC.DDDD -t "mqtttest" -p 8883 -d --cert client.crt --key client.key
Client (null) sending CONNECT
Client (null) received CONNACK (5)
Connection error: Connection Refused: not authorised.
Client (null) sending DISCONNECT

And, if I try to connect with the Cinterion module, I get this:

1619101865: New connection from AAAA.BBBB.CCCC.DDDD:1234 on port 8883.
1619101866: OpenSSL Error[0]: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
1619101866: Client <unknown> closed its connection.

Osb.: I had followed this tutorial on how to configure MQTT to use TLS communication, which is the steps that have worked so far for me.

My system is Ubuntu 20.04, kernel 5.4.0-72-generic

Cinterion module: EXS82-W B2.1

Mosquitto Server 2.0.10

TLS version used: 1.2

Running ATI1 on module:

Terminal ready
ATI1
Cinterion
EXS82-W
REVISION 01.100
A-REVISION 01.000.14

OK

For these tests, I am using the MQTT example from the SDK, which I had to just update the IP of the MQTT Server, and the certificates for the new ones I had generated.