0

Context is our Mosquitto broker, running on a certain domain. User can connect via TLS only.

We are using a self-signed certificate for this purpose, because we want to sign client certificates by ourselves.

Command on my machine

mosquitto_pub -h mqtt.sustainable-data-platform.org -p 8883 --cafile ./ca.cert.pem -t test -m "fff aaa" -u <user> -P <pssw>

The CA cert

openssl x509 -noout -text -in ./ca.cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ...
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DE, ST=NRW, L=Koeln, O=sdp, CN=sdp Server/emailAddress=...
        Validity
            Not Before: Jun 18 09:48:29 2024 GMT
            Not After : Jun 13 09:48:29 2044 GMT
        Subject: C=DE, ST=NRW, L=Koeln, O=sdp, CN=sdp Server/emailAddress=...
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    ...

SSL Error

OpenSSL Error[0]: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
06-20T12:46:09: OpenSSL Error[1]: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure

Guess

The domain does not match with CN of my CA certificate, do we need these to match? Any other way to fix the problem, because I am not familiar with using self-signed certificates for mosquitto?

Edit

openssl s_client

I have checked this with openssl s_client --CAfile ./ca.cert.pem -connect mqtt.sustainable-data-platform.org:8883 and it returns (snippets):

CONNECTED(00000003)
depth=1 C = DE, ST = NRW, L = Koeln, O = sdp, CN = sdp Server, emailAddress = <mail>
verify return:1
depth=0 C = DE, ST = NRW, O = sdp, OU = sdp Server, CN = sdp server interm
verify return:1
---
Certificate chain
 0 s:C = DE, ST = NRW, O = sdp, OU = sdp Server, CN = sdp server interm
   i:C = DE, ST = NRW, L = Koeln, O = sdp, CN = sdp Server, emailAddress = <mail>
 1 s:C = DE, ST = NRW, L = Koeln, O = sdp, CN = sdp Server, emailAddress = <mail>
   i:C = DE, ST = NRW, L = Koeln, O = sdp, CN = sdp Server, emailAddress = <mail>
---
Server certificate
-----BEGIN CERTIFICATE-----

[...]

---
SSL handshake has read 3163 bytes and written 452 bytes
Verification: OK
---

[...]

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:  
        [...]

[...]

    Start Time: 1718884057
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
Improve this question

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .