Impossible to connect to mosquitto broker with C API using TLS

Mosquitto MQTT Broker Issues
1

Hello,

We are trying to connect to mosquitto broker using C API libmoquitto, with TLS. We cannot establish a connection.

We have generated and configured certificates in the .conf file of the broker :

cafile ca.crt
certfile server.crt
keyfile server.key

We used Openssl suite tools to test connection against mosquitto broker using TLS, the connection seemed to work fine using these certificates.

We compiled 2 binaries for our test, one client which sends messages, one other client which consumes messages.

In the .c files, we used the mosquitto_tls_set function :

For the client which sends messages :

mosquitto_tls_set(Message_producer, “ca.crt”, NULL, “client.crt”, “client.key”, pw_callback);

We tried also with ca.crt only :

mosquitto_tls_set(Message_producer, “ca.crt”, NULL, NULL, NULL, pw_callback);

And also using a certificate without password, setting pw_callback to NULL.

We also tried to use absolute pathes in mosquitto conf file and mosquitto_tls_set function in the API.

We did the same for the client which consumes messages.

Although we are able to connect without TLS, we haven’t been able to connect with TLS until now…

We got the following messages :

In Mosquitto broker logs :

  1710169333: New connection from ::1:55696 on port 1883.
  1710169333: Client <unknown> disconnected due to protocol error.
  1710169334: New connection from ::1:55710 on port 1883.
  1710169334: Client <unknown> disconnected due to protocol error.

However, there are no error messages in the client logs, although they are not connected (When we try sending message, we have the error message : “The client is not currently connected”).

For the client which sends messages, we have the following logs :

  "No error", when calling mosquitto_tls_set and mosquitto_connect.

For the client which receives messages, we have the following logs :

  "No error", when calling mosquitto_tls_set and mosquitto_connect.

As these client weren’t able to connect, we guess we should have error messages.

Anybody would have and idea about that issue? Did we miss something in the configuration/.c file or is there any possibility of bug in the API?

Thanks in advance for your help.

2

The “protocol error” message in this situation is very commonly caused if you try and connect a client using TLS to a listener which is not using TLS. Given that you have port 1883 as well, this seems even more likely.

Could you please check that?

Regards,

Roger

3

Hi Roger,

Thanks a lot for your reply. Well, when we did the test we also tried to use port 8883 but couldn’t establliqh a connection either.

Below is the actual network status for mosquitto, maybe there is something wrong in the port config? Here is for port 1883 but we had the same results when we used port 8883 :

tcp 0 0 127.0.0.1:1883 0.0.0.0:* LISTEN 3324259/mosquitto
tcp6 0 0 ::1:1883 :::* LISTEN 3324259/mosquitto

When we tried with port 8883 we added the following lines in the conf file :

listener 8883 0.0.0.0
listener 8883 ::1

I there any parameter that could be wrong in our config or need to be checked in the .conf file?

Thank you.

4

The config should look something like this:

listener 8883
certfile <path to server.crt>
keyfile <path to server.key>
# Some form of authentication as well

If you don’t specify the server certificate and key, then TLS mode cannot be activated.

Regards,

Roger

5

Thank you for this example.

Well, we filled these two fields indeed (certfile and keyfile), but we also filled the cafile with the .crt file :

cafile = ca.crt

We use the same ca.crt file with the client for the connection.

Should we remove the cafile information and keep only the certfile and keyfile settings?

Regards;

6

The cafile on the broker is only used for verifying client certificates when a client connects, if you are using client certificates. So it is not required, but also not a problem if you include it.

You could try using debug logging on your client - if the error is coming from the TLS part then you will get an error from the openssl library.

It might be worth using mosquitto_pub or _sub to do this, then you know it’s not any of your code at fault. An example command would be mosquitto_pub -h <host> --cafile ca.crt -t topic -m message -d