SSL issues from updated OpenWRT box

I have an application where a device running OpenWRT obtains a broker certificate and then connects to a Mosquitto broker, running the version in the Ubuntu 22.04 repos.

As a test I can connect and subscribe from the commandline:
mosquitto_sub -h <host> -p <port> --cafile broker-cert.pem -t '#' -u <user> -P <pass> --insecure

This all worked until I upgraded the OS on my device. As far as I can tell this relates to the OpenSSL version being raised from 1.1.1n to 1.1.1t. mosquitto_sub reports “Protocol error” and mosquitto.log shows

2024-01-25 16:12:09: OpenSSL Error[0]: error:0A000438:SSL routines::tlsv1 alert internal error
2024-01-25 16:12:09: Client <unknown> disconnected: Protocol error.

To be clear this is failing after a full firmware upgrade on the device (a Teltonika TRB255) so it’s possible that something other than the SSL version bump is the issue, but those errors point me in that direction.

Any suggestions how to debug this?

OpenSSL on the broker’s server is 3.0.2 15. The SSL certs are generated as follows:
openssl req -newkey rsa:2048 -nodes -keyout broker-key.pem -x509 -days 30 -out broker-cert.pem
… with Mosquitto configured with:

  certfile /path/to/broker-cert.pem
  keyfile /path/to/broker-key.pem

I eventually solved this myself, and all the clues were leading me in the wrong direction.

The new OpenWRT firmware changed the way the ntp client worked, and it meant that my device wasn’t setting the clock correctly. Therefore the certificates all looked to be from the future and were rightly being rejected.

It would have been a lot easier to debug if the error was more helpful than “Protocol error”. Is that the best that can be reported based on what is reported back by the SSL libraries, or could it be improved in mosquitto_sub?