www.homeseer.com    
 

Go Back   HomeSeer Message Board > 3rd Party Plug-Ins/Scripts > Plug-ins by Author > Click Here for List of Author Forums > MCS Plug-Ins and Scripts > mcsMQTT (3P)

mcsMQTT (3P) Discussion of mcsMQTT plug-in

Reply
 
Thread Tools Display Modes
  #21  
Old April 16th, 2018, 02:52 AM
ZoRaC ZoRaC is offline
Seer Deluxe
 
Join Date: Jul 2016
Location: Trondheim, Norway
Posts: 142
I use TLS on Mosquitto, but without client-certs, just username and password.
I tried that (leaving the Cert-files blank), but that doesn't seem to work...?
Reply With Quote
  #22  
Old April 16th, 2018, 06:33 AM
vasrc's Avatar
vasrc vasrc is offline
Seer Master
 
Join Date: May 2003
Location: Locust Dale, VA
Posts: 1,228
Quote:
Originally Posted by Michael McSharry View Post
Has anybody had success with using a certificate with Mosquitto and mcsMQTT?

My latest attempt was using TLS1.1 rather than 1.2. HS, mcsMQTT and Mosquitto on Linux. Previously mcsMQTT was on Windows.
Mosquitto log reports the following. Don't know if it is complaining about contents or ability to find file. It does exist
Code:
1523849104: Error: Unable to load server key file "/usr/local/HomeSeer/Certs/m2mqtt_srv.key". Check keyfile.
The file at the indicated path is
Code:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,38D4B13DC1301BDA

sFB0HvAG9lSXXu6PgZe1yDw5/l1gJDn4Fc/M+Xo5BfJjN/jGo1pksmBjTWvSTChx
NgjdrLxvNsBDjIKqfbsjBYQpuuYgzWQs7OdV7oH1of19OGSqvbCl6j6Cv6RoWaTd
8WLqvoUr4h99cmdgpFr0zcqgaAHL28KNyyrLNb6szQ1dTog3BFVvTKHoiOuVTZXB
J6xSBqFq941QLf1gnoDSFXbAqXDZbRflpSAVrS11jXtdtpkXagpUgS57WY1nRcfj
/xfsvKQ5qPF41lzmF7y98Yr4noLObXmb16O3WCBaheAeMAXujDArNOUJHnVX3qog
egqb2GJmlBUIY/JxkM+aTf3/odsn5Xmx0u1Smwqb148+m82mBV+cMwesFNUb2sXj
5u0tgC9dPBwMiWQa5X/CwCc3ME+1Y27fHEtsc7s2DQdS23BqBbOrqniQJwWwXWhN
vlGYTU+fbxkoJc+2X0kEwvHDQeHV4sq1uM8gGrVPC59X8bs+quzuxxLRhEuPgTtg
pPvmRWlOEBI/gYKY4Czgy2rHOw4/br3XkyAFzCMvsyy5pSWKpwE4Ha07xg0vorjD
b5RmEidey+KL8JINm59+ssVKSGnMyM9ZSZDTMEfUOQ3T6SX6pwqRsPofX+uWoVUM
1imnN7WTs3Ogqet1Y4pdr/KyHZmVH7ujzhVmSIRBY4M/1onApAZJxfM7ODKKCNVP
xHeHeLppJtZNF0JG3pOLKKkuIUBDQY2fpzYebRQvYQhlcMOSbomVbRAkp18GUb2j
uc5WMTKNsUaEns6hOXpADRjNVh4yDUZLIh8EPtlTPMcKHevMUxs9AA==
-----END RSA PRIVATE KEY-----
Running it here without any problems. Your Key files is encrypted (don't use -des3 when you create it)
Try it unencrypted.
To decrypt:
openssl rsa -in m2mqtt_srv.key -out m2mqtt_srv.key (may have to use a different name for -out)

Your mosquitto.conf says:
keyfile /usr/local/HomeSeer/Certs/m2mqtt_srv.key

Here's a good link:
https://github.com/knolleary/pubsubclient/issues/84

Also to create the certs/keys:
https://mosquitto.org/man/mosquitto-tls-7.html

Z
Reply With Quote
  #23  
Old April 16th, 2018, 08:59 AM
Pete's Avatar
Pete Pete is offline
OverSeer
 
Join Date: Jan 2001
Location: House
Posts: 15,417
Trying from scratch here.

Initially just created a sslcert directory on my laptop desktop.

/home/pete/Desktop/sslcert# ls
/home/pete/Desktop/sslcert#

1 - Certificate Authority

Generate a certificate authority certificate and key.

/home/pete/Desktop/sslcert# openssl req -new -x509 -days 500 -extensions v3_ca -keyout ca.key -out ca.crt

Generating a 2048 bit RSA private key
.......+++
........+++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
/home/pete/Desktop/sslcert#

/home/pete/Desktop/sslcert# ls
ca.crt ca.key

2 - Client

- Generate a client key.

openssl genrsa -out client.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
............................................................ ..........................+++
e is 65537 (0x10001)

- Generate a certificate signing request to send to the CA.

openssl req -out client.csr -key client.key -new

Send the CSR to the CA, or sign it with your CA key:

openssl req -out client.csr -key client.key -new
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
/home/pete/Desktop/sslcert#

/home/pete/Desktop/sslcert# ls
ca.crt ca.key client.csr client.key

Send the CSR to the CA, or sign it with your CA key:

/home/pete/Desktop/sslcert# openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 500
Signature ok
subject=/C=US/ST=Some-State/O=Internet Widgits Pty Ltd
Getting CA Private Key
Enter pass phrase for ca.key:
/home/pete/Desktop/sslcert#

/home/pete/Desktop/sslcert# ls
ca.crt ca.key ca.srl client.crt client.csr client.key

Copied sslcert directory to /HomeSeer/sslcert directory

Name:  pic1.jpg
Views: 99
Size:  24.4 KB

Configuration on plugin page.

Name:  pic2.jpg
Views: 99
Size:  34.1 KB

Node Red configuration:

created a directory on desktop called noderedcerts and did the following:

Server

- Generate a server key.

openssl genrsa -out server.key 2048

- Generate a server key without encryption.

openssl genrsa -out server.key 2048

- Generate a certificate signing request to send to the CA.

openssl req -out server.csr -key server.key -new

Send the CSR to the CA, or sign it with your CA key:

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 500

Node Red pictures. Here just upload certs from desktop.

Name:  nr-pic1.jpg
Views: 99
Size:  22.1 KB

Name:  nr-pic2.jpg
Views: 99
Size:  15.4 KB

When enabled on the Homeseer 3 / mqtt plugin side see this: (goes offline)

Name:  offline.jpg
Views: 99
Size:  10.9 KB

debug.txt shows this when working:

4/16/2018 7:26:54 AM 113 | PopulateReceiveDict 10.67C6697351FF8D/temperature, PluginDevice=True
4/16/2018 7:26:54 AM 113 | PopulateReceiveDict 26.061575000000/temperature, PluginDevice=True
4/16/2018 7:26:54 AM 113 | PopulateReceiveDict 26.061575000000/humidity, PluginDevice=True
4/16/2018 7:26:54 AM 113 | PopulateReceiveDict 10.67C6697351FF/temperature, PluginDevice=True
4/16/2018 7:26:54 AM 113 | PopulateReceiveDict 10.A04713000800/temperature, PluginDevice=True

to this when it goes offline:

4/16/2018 7:26:54 AM 112 | PopulateReceiveDict , PluginDevice=False
4/16/2018 7:26:54 AM 113 | PopulateReceiveDict , PluginDevice=False
4/16/2018 7:26:54 AM 113 | PopulateReceiveDict , PluginDevice=False
4/16/2018 7:26:54 AM 113 | PopulateReceiveDict , PluginDevice=False
4/16/2018 7:26:54 AM 113 | PopulateReceiveDict , PluginDevice=False

Node Red shows connecting but never connected.

syslog shows:

Apr 16 08:36:11 ICS-Stretch175 Node-RED[266]: 16 Apr 08:36:11 - [info] [mqtt-broker:humidity] Connected to broker: mqtt://localhost:1883
Apr 16 08:36:11 ICS-Stretch175 Node-RED[266]: 16 Apr 08:36:11 - [info] [debug:10.A14-Temp] 69.7
Apr 16 08:36:14 ICS-Stretch175 Node-RED[266]: 16 Apr 08:36:14 - [info] [debug:26.5CD-Humidity] 37.9
Apr 16 08:36:15 ICS-Stretch175 Node-RED[266]: 16 Apr 08:36:15 - [info] [debug:26.5CD-Temp] 70.8
Apr 16 08:36:24 ICS-Stretch175 Node-RED[266]: 16 Apr 08:36:24 - [info] [debug:10.A14-Temp] 69.6
Apr 16 08:36:24 ICS-Stretch175 Node-RED[266]: 16 Apr 08:36:24 - [info] [debug:26.5CD-Humidity] 38
Apr 16 08:36:24 ICS-Stretch175 Node-RED[266]: 16 Apr 08:36:24 - [info] [debug:26.5CD-Temp] 70.5
Apr 16 08:36:26 ICS-Stretch175 Node-RED[266]: 16 Apr 08:36:26 - [info] [mqtt-broker:Temperature] Connection failed to broker: mqtts://192.168.244.175:1883
__________________
- Pete

Automator

HS3 Pro & Lite Edition Beta 3.0.0.4449

HS3 Wintel Touch | Ubuntu 16.04 64 bit | Oracle Windows Virtual Box ==> for Wintel only SAPI and HS3 plugins | Speech - Microsoft SAPI - Neospeech - Amazon Echo | Hardware | Haswell Intel iSeries 3 - 16Gb | Pine64 - 2Gb computers | Openpeak Intel Atom SoC tabletop touchscreens (15 HS tabletop tablets) | Touchscreens - Windows embedded POE connected |Light switches - X10,UPB, ZWave and Zigbee | Firewall - PFSense - 2 WAN plus 4 LAN interfaces | Network - Gb managed switches / POE WAP(s) | CCTV - Zoneminder IPHD cams - variety | Audio - Russound - AB8SS | Security - Leviton HAI Omni Pro 2 | Weather - Davis Vantage Vue - MeteoStick - WeeWx | 1-Wire - AAG, Midon and HB | OWFS - Mosquitto - Node Red - Python - RPi Stretch - OpenWRT

Last edited by Pete; April 16th, 2018 at 09:38 AM.
Reply With Quote
  #24  
Old April 16th, 2018, 01:53 PM
vasrc's Avatar
vasrc vasrc is offline
Seer Master
 
Join Date: May 2003
Location: Locust Dale, VA
Posts: 1,228
Quote:
Originally Posted by Michael McSharry View Post
Has anybody had success with using a certificate with Mosquitto and mcsMQTT?

My latest attempt was using TLS1.1 rather than 1.2. HS, mcsMQTT and Mosquitto on Linux. Previously mcsMQTT was on Windows.
Mosquitto log reports the following. Don't know if it is complaining about contents or ability to find file. It does exist
Code:
1523849104: Error: Unable to load server key file "/usr/local/HomeSeer/Certs/m2mqtt_srv.key". Check keyfile.
The file at the indicated path is

[/code]
After loading the latest PI, I have the same issue and error in the debug log. No connection to the broker.
BTW, is there a simple method to see if you're actuall connected to the broker? It's not obvious from the PI config page.

Z
(additionally, once you enter a Client cert, you can't remove it from the GUI, you have to manually edit the ini config file)
Reply With Quote
  #25  
Old April 16th, 2018, 02:27 PM
vasrc's Avatar
vasrc vasrc is offline
Seer Master
 
Join Date: May 2003
Location: Locust Dale, VA
Posts: 1,228
My broker log is spitting out:
SSL3_GET_RECORD:wrong version number

Does this for both TLSV1_1 as well as TLSv1_2, so it sounds like that's where the problem is in the plugin.
If I remember the m2mqtt library it's in the MqttClient call argument:
MqttSslProtocols.TLSv1_2

Z
Reply With Quote
  #26  
Old April 16th, 2018, 02:33 PM
vasrc's Avatar
vasrc vasrc is offline
Seer Master
 
Join Date: May 2003
Location: Locust Dale, VA
Posts: 1,228
Sorry for all the posts...
Had to go back to 3.2.9.3 before I could get it to work with just a CA file again.


Edit... Ahh... That was BEFORE port 8883 is why. I'm running both ports on the broker, didn't catch that.
Nontheless, I can't get anything working with just the CAcert now. I "think" I was doing TLSV1_1 initially, so that might be why.

Z
Reply With Quote
  #27  
Old April 16th, 2018, 04:07 PM
Michael McSharry's Avatar
Michael McSharry Michael McSharry is offline
OverSeer
 
Join Date: Jul 2001
Location: North Bend, WA, USA
Posts: 13,768
Quote:
BTW, is there a simple method to see if you're actuall connected to the broker? It's not obvious from the PI config page.
Found on Statistics Tab first row.

The code sequence to establish connection to broker is below. The security information is passed as the MQTT Client object is created. The connection method of the MQTT Client contains username and password. Note that I assumed that both certificates are needed. Is this not the case?
Code:
                        Dim bSecure As Boolean = False
                        Dim caCert As System.Security.Cryptography.X509Certificates.X509Certificate = Nothing
                        Dim clientCert As System.Security.Cryptography.X509Certificates.X509Certificate = Nothing
                        Dim sslProtocol As uPLibrary.Networking.M2Mqtt.MqttSslProtocols = uPLibrary.Networking.M2Mqtt.MqttSslProtocols.None

                        If gMQTTBrokerSSL <> uPLibrary.Networking.M2Mqtt.MqttSslProtocols.None AndAlso gMQTTBrokerCaCert <> "" AndAlso gMQTTBrokerClientCert <> "" Then
                            Dim sCert As String = "CaCert"
                            Try
                                caCert = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile(gMQTTBrokerCaCert)
                                sCert = "Client Cert"
                                clientCert = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile(gMQTTBrokerClientCert)
                                sslProtocol = gMQTTBrokerSSL
                                bSecure = True
                            Catch ex As Exception
                                hsWritelog(PLUGIN_DEBUG, sCert & " issue " & ex.Message)
                            End Try
                        End If

                        oMQTTClient = New uPLibrary.Networking.M2Mqtt.MqttClient(gMQTTBroker, gMQTTBrokerPort, bSecure, caCert, clientCert, sslProtocol)
                        bSubscribed = False
                        If bFirstPass Then
                            hsWritelog(PLUGIN_DEBUG, "MQTT Thread Client Created")
                        End If

                        AddHandler oMQTTClient.MqttMsgPublishReceived, AddressOf client_MqttMsgPublishReceived
                        Dim clientId As String = Guid.NewGuid().ToString()
                        If bFirstPass Then
                            hsWritelog(PLUGIN_DEBUG, "MQTT Thread Client ID=" & clientId)
                        End If

                        Try
                            iBrokerResponse = oMQTTClient.Connect(
                                clientId,
                                gMQTTBrokerUsername,
                                gMQTTBrokerPassword,
                                gDefaultRetain,
                                gDefaultQOS,
                                True,
                                gThisComputer & "/" & PLUGIN_NAME & "/LWT",
                                "Offline",
                                True,
                                60)  'False,, 'Messages.MqttMsgBase.QOS_LEVEL_EXACTLY_ONCE,
                            If bFirstPass Then
                                hsWritelog(PLUGIN_DEBUG, "MQTT Thread Broker " & gMQTTBroker & " Connect Response=" & iBrokerResponse.ToString)
                            End If

                        Catch ex As Exception
                            If gDebugLog Then
                                hsWritelogEx(PLUGIN_DEBUG, "StartMQTT Connection attempt to Broker " & gMQTTBroker, ex.Message & ":" & ex.InnerException.Message)
                                oMQTTClient = Nothing
                            End If
                        End Try
The user selection for the SSL is
Code:
        Dim arrSSL() As String = {uPLibrary.Networking.M2Mqtt.MqttSslProtocols.None.ToString, _
                                    uPLibrary.Networking.M2Mqtt.MqttSslProtocols.SSLv3.ToString, _
                                    uPLibrary.Networking.M2Mqtt.MqttSslProtocols.TLSv1_0.ToString, _
                                    uPLibrary.Networking.M2Mqtt.MqttSslProtocols.TLSv1_1.ToString, _
                                    uPLibrary.Networking.M2Mqtt.MqttSslProtocols.TLSv1_2.ToString}
        For iSSL As Integer = 0 To arrSSL.Length - 1
            bSelected = (iSSL = gMQTTBrokerSSL)
            dl.AddItem(arrSSL(iSSL), iSSL, bSelected)
        Next
:
:
Case MQTTBROKERSSL
If IsNumeric(sValue) Then
gMQTTBrokerSSL = CType(sValue, Integer)
hs.SaveINISetting(GENERAL_GROUP, sItem, q & sValue & q, MQTT_INI_FILE)
oMQTTClient = Nothing
Else
Me.pageCommands.Add("popmessage", sValue & " is invalid selection for SSL")
End If
Reply With Quote
  #28  
Old April 16th, 2018, 05:35 PM
vasrc's Avatar
vasrc vasrc is offline
Seer Master
 
Join Date: May 2003
Location: Locust Dale, VA
Posts: 1,228
I don't see any reliable documentation on M2Mqtt and client certs. I'd roll back to just the CA cert in your if->andALso check and see if that works as a starter (could also add another if/then for CA AND client cert). Also might either hardcode in the TLSV1_2 object or see if you can add the enum to the array instead of a string. Not sure if it's looking of the M2Mqttprotcol object or a string.

Z
Reply With Quote
  #29  
Old April 16th, 2018, 06:21 PM
Michael McSharry's Avatar
Michael McSharry Michael McSharry is offline
OverSeer
 
Join Date: Jul 2001
Location: North Bend, WA, USA
Posts: 13,768
The two edits were done in the attached. Still need some SSL selected on mcsMQTT setup but the 1.2 will be used.
Code:
                        If gMQTTBrokerSSL <> uPLibrary.Networking.M2Mqtt.MqttSslProtocols.None AndAlso gMQTTBrokerCaCert <> "" Then 'AndAlso gMQTTBrokerClientCert <> "" Then
                            Dim sCert As String = "CaCert"
                            Try
                                caCert = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile(gMQTTBrokerCaCert)
                                sCert = "Client Cert"
                                clientCert = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile(gMQTTBrokerClientCert)
                                sslProtocol = uPLibrary.Networking.M2Mqtt.MqttSslProtocols.TLSv1_2 'gMQTTBrokerSSL
                                bSecure = True
                            Catch ex As Exception
                                hsWritelog(PLUGIN_DEBUG, sCert & " issue " & ex.Message)
                            End Try
                        End If

Last edited by Michael McSharry; April 19th, 2018 at 04:30 PM.
Reply With Quote
  #30  
Old April 16th, 2018, 07:50 PM
vasrc's Avatar
vasrc vasrc is offline
Seer Master
 
Join Date: May 2003
Location: Locust Dale, VA
Posts: 1,228
Quote:
Originally Posted by Michael McSharry View Post
The two edits were done in the attached. Still need some SSL selected on mcsMQTT setup but the 1.2 will be used.
Code:
                        If gMQTTBrokerSSL <> uPLibrary.Networking.M2Mqtt.MqttSslProtocols.None AndAlso gMQTTBrokerCaCert <> "" Then 'AndAlso gMQTTBrokerClientCert <> "" Then
                            Dim sCert As String = "CaCert"
                            Try
                                caCert = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile(gMQTTBrokerCaCert)
                                sCert = "Client Cert"
                                clientCert = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile(gMQTTBrokerClientCert)
                                sslProtocol = uPLibrary.Networking.M2Mqtt.MqttSslProtocols.TLSv1_2 'gMQTTBrokerSSL
                                bSecure = True
                            Catch ex As Exception
                                hsWritelog(PLUGIN_DEBUG, sCert & " issue " & ex.Message)
                            End Try
                        End If
Still fails with protocol version not supported, but I'm not convinced that's it yet. Can you put a null where the client cert argument is in the MqttClient call. It's trying to resolve that cert.
I also see numerous port 8883 being opened each time it attempts to connect. Are they being closed when they fail?

Z
Reply With Quote
  #31  
Old April 16th, 2018, 09:37 PM
Michael McSharry's Avatar
Michael McSharry Michael McSharry is offline
OverSeer
 
Join Date: Jul 2001
Location: North Bend, WA, USA
Posts: 13,768
ClientCert set to Nothing

Last edited by Michael McSharry; April 19th, 2018 at 04:30 PM.
Reply With Quote
  #32  
Old April 19th, 2018, 02:50 PM
vasrc's Avatar
vasrc vasrc is offline
Seer Master
 
Join Date: May 2003
Location: Locust Dale, VA
Posts: 1,228
Quote:
Originally Posted by Pete View Post
Trying from scratch here.
Is the plugin on a Windows platform or Linux? Windows "should" reject self-signed CA certs unless you stick them in the Trusted Root or somesuch.

Also, what CN are you using and how are you resolving it so it matches the cert?

Thanks,
Z
Reply With Quote
  #33  
Old May 15th, 2018, 11:49 PM
Jeeves Jeeves is offline
Seer
 
Join Date: Dec 2016
Location: New Mexico
Posts: 18
Quote:
Originally Posted by Michael McSharry View Post
The two edits were done in the attached. Still need some SSL selected on mcsMQTT setup but the 1.2 will be used.
Code:
                        If gMQTTBrokerSSL <> uPLibrary.Networking.M2Mqtt.MqttSslProtocols.None AndAlso gMQTTBrokerCaCert <> "" Then 'AndAlso gMQTTBrokerClientCert <> "" Then
                            Dim sCert As String = "CaCert"
                            Try
                                caCert = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile(gMQTTBrokerCaCert)
                                sCert = "Client Cert"
                                clientCert = System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromCertFile(gMQTTBrokerClientCert)
                                sslProtocol = uPLibrary.Networking.M2Mqtt.MqttSslProtocols.TLSv1_2 'gMQTTBrokerSSL
                                bSecure = True
                            Catch ex As Exception
                                hsWritelog(PLUGIN_DEBUG, sCert & " issue " & ex.Message)
                            End Try
                        End If
I see these edits, but was this ever fixed?

I have my broker using TLS1.2 with client certs successfully being utilized on other devices, but mcsMQTT v3.3.6.0 running on a Raspberry pi 3 (looking to upgrade this soon) using the same method, set to TLS 1.2 fails over and over with: (mosquitto log)

Code:
May 15 17:12:47 raspberrypi mosquitto[431]: New connection from [HS3-IP] on port 1883.
May 15 17:12:47 raspberrypi mosquitto[431]: 1526425967: OpenSSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
May 15 17:12:47 raspberrypi mosquitto[431]: OpenSSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
May 15 17:12:47 raspberrypi mosquitto[431]: Socket error on client <unknown>, disconnecting.
Other clients connect fine:
Code:
New client connected from 192.168.1. as mqtt_test (c0, k3600, u'MQTT_TEST').
It worked without any security, however once I put the certs in place, HS3/mcsMQTT refuses to connect.

Changing the TLS setting for "MQTT Broker Security" doesn't change the error at all.

Thanks
Reply With Quote
  #34  
Old May 16th, 2018, 06:48 PM
Michael McSharry's Avatar
Michael McSharry Michael McSharry is offline
OverSeer
 
Join Date: Jul 2001
Location: North Bend, WA, USA
Posts: 13,768
It is my understanding that Pete and vasrc have SSL functional with mcsMQTT. vasrc indicated that he was unable to get a self-signed certificate to work, however. I have no background in this area so am leaning on the users to help.
Reply With Quote
  #35  
Old May 16th, 2018, 08:47 PM
vasrc's Avatar
vasrc vasrc is offline
Seer Master
 
Join Date: May 2003
Location: Locust Dale, VA
Posts: 1,228
Quote:
Originally Posted by Jeeves View Post
I see these edits, but was this ever fixed?

I have my broker using TLS1.2 with client certs successfully being utilized on other devices, but mcsMQTT v3.3.6.0 running on a Raspberry pi 3 (looking to upgrade this soon) using the same method, set to TLS 1.2 fails over and over with: (mosquitto log)

Code:
May 15 17:12:47 raspberrypi mosquitto[431]: New connection from [HS3-IP] on port 1883.
May 15 17:12:47 raspberrypi mosquitto[431]: 1526425967: OpenSSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
May 15 17:12:47 raspberrypi mosquitto[431]: OpenSSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
May 15 17:12:47 raspberrypi mosquitto[431]: Socket error on client <unknown>, disconnecting.
Other clients connect fine:
Code:
New client connected from 192.168.1. as mqtt_test (c0, k3600, u'MQTT_TEST').
It worked without any security, however once I put the certs in place, HS3/mcsMQTT refuses to connect.

Changing the TLS setting for "MQTT Broker Security" doesn't change the error at all.

Thanks
Looks like you're using port 1883? For TLS1_X you need to use port 8883
I'm guessing you setup your broker for 1883?
You can dual port the mosquitto broker so it responds to both, but you'll need a CA and server certificate.

To see if the broker responds correctly using port 8883:
openssl s_client -connect IP of broker:8883

Z
Reply With Quote
  #36  
Old May 17th, 2018, 02:21 AM
Jeeves Jeeves is offline
Seer
 
Join Date: Dec 2016
Location: New Mexico
Posts: 18
Quote:
Originally Posted by vasrc View Post
Looks like you're using port 1883? For TLS1_X you need to use port 8883
I'm guessing you setup your broker for 1883?
You can dual port the mosquitto broker so it responds to both, but you'll need a CA and server certificate.

To see if the broker responds correctly using port 8883:
openssl s_client -connect IP of broker:8883

Z
I'm unfamiliar with the need to dual-port mosquitto.

It was working and responding to two other clients fine on port 1883 (which I had configured it to use).

Mosquitto is setup with both the ca and server certificate using TLS1.2 and the clients are using client certificates.
Only mcsMQTT is failing with the error related to SSL3. In my previous post I provided logs and tried to indicate that the HS3 IP was the only one having issues while the other clients connected without problem.
Reply With Quote
  #37  
Old May 17th, 2018, 06:03 AM
Pete's Avatar
Pete Pete is offline
OverSeer
 
Join Date: Jan 2001
Location: House
Posts: 15,417
Here did it all via Node Red which is very intuitive.

Node Red test broker was configured at port 8883 where as my other Red Node test broker was configured at port 1883.

Thinking Node Red defaulted to port 8883?

I have not paid attention lately working on my Node Red counter thing.

Name:  nodered.jpg
Views: 34
Size:  21.9 KB

Name:  nodered1.jpg
Views: 34
Size:  19.0 KB

Name:  nodered2.jpg
Views: 34
Size:  27.8 KB
__________________
- Pete

Automator

HS3 Pro & Lite Edition Beta 3.0.0.4449

HS3 Wintel Touch | Ubuntu 16.04 64 bit | Oracle Windows Virtual Box ==> for Wintel only SAPI and HS3 plugins | Speech - Microsoft SAPI - Neospeech - Amazon Echo | Hardware | Haswell Intel iSeries 3 - 16Gb | Pine64 - 2Gb computers | Openpeak Intel Atom SoC tabletop touchscreens (15 HS tabletop tablets) | Touchscreens - Windows embedded POE connected |Light switches - X10,UPB, ZWave and Zigbee | Firewall - PFSense - 2 WAN plus 4 LAN interfaces | Network - Gb managed switches / POE WAP(s) | CCTV - Zoneminder IPHD cams - variety | Audio - Russound - AB8SS | Security - Leviton HAI Omni Pro 2 | Weather - Davis Vantage Vue - MeteoStick - WeeWx | 1-Wire - AAG, Midon and HB | OWFS - Mosquitto - Node Red - Python - RPi Stretch - OpenWRT

Last edited by Pete; May 17th, 2018 at 06:14 AM.
Reply With Quote
  #38  
Old May 17th, 2018, 06:13 AM
vasrc's Avatar
vasrc vasrc is offline
Seer Master
 
Join Date: May 2003
Location: Locust Dale, VA
Posts: 1,228
Quote:
Originally Posted by Jeeves View Post
I'm unfamiliar with the need to dual-port mosquitto.

It was working and responding to two other clients fine on port 1883 (which I had configured it to use).

Mosquitto is setup with both the ca and server certificate using TLS1.2 and the clients are using client certificates.
Only mcsMQTT is failing with the error related to SSL3. In my previous post I provided logs and tried to indicate that the HS3 IP was the only one having issues while the other clients connected without problem.
It's quite simple in mosquitto. In the config file look for the section labeled Extra Listeners. This is where you define another port to listen on. Each listener has it's own SSL settings so make sure you're setting the cafile, certfile and certkey on the correct listener. The certs are for the port 8883 listener. Restart the broker and you should now be able to accept traffic from both non-secure (1883) and secure (8883) devices.

I haven't been able to get the plugin on windows to accept a self-signed cert as it needs some internal programming to catch those exceptions. It works well on both my ESP8266 and ESP32 devices though. Haven't tried it on a PI yet, have to try that still.

Additionally, since this is SSL the CN of the cert (you enter this when you make it) will need to match the DNS name of your broker so that assumes you either have a DNS in your system to resolve IP's to names or your host file defines it.

Z
Reply With Quote
  #39  
Old May 17th, 2018, 06:24 AM
Pete's Avatar
Pete Pete is offline
OverSeer
 
Join Date: Jan 2001
Location: House
Posts: 15,417
Yeah here using Node Red on RPi2's (two of them).

Wondering now if I am the only tester here using Node Red on the RPi's?
__________________
- Pete

Automator

HS3 Pro & Lite Edition Beta 3.0.0.4449

HS3 Wintel Touch | Ubuntu 16.04 64 bit | Oracle Windows Virtual Box ==> for Wintel only SAPI and HS3 plugins | Speech - Microsoft SAPI - Neospeech - Amazon Echo | Hardware | Haswell Intel iSeries 3 - 16Gb | Pine64 - 2Gb computers | Openpeak Intel Atom SoC tabletop touchscreens (15 HS tabletop tablets) | Touchscreens - Windows embedded POE connected |Light switches - X10,UPB, ZWave and Zigbee | Firewall - PFSense - 2 WAN plus 4 LAN interfaces | Network - Gb managed switches / POE WAP(s) | CCTV - Zoneminder IPHD cams - variety | Audio - Russound - AB8SS | Security - Leviton HAI Omni Pro 2 | Weather - Davis Vantage Vue - MeteoStick - WeeWx | 1-Wire - AAG, Midon and HB | OWFS - Mosquitto - Node Red - Python - RPi Stretch - OpenWRT
Reply With Quote
  #40  
Old May 17th, 2018, 12:56 PM
Pete's Avatar
Pete Pete is offline
OverSeer
 
Join Date: Jan 2001
Location: House
Posts: 15,417
Unrelated to SSL here while I can enable two listeners with two ports on mcsMQTT.

Testing it the other day changed the port number of one of them and kept the same IP and mcsMQTT did go off line. When I changed the port to the same one as the source messages then mcsMQTT went back on line.
__________________
- Pete

Automator

HS3 Pro & Lite Edition Beta 3.0.0.4449

HS3 Wintel Touch | Ubuntu 16.04 64 bit | Oracle Windows Virtual Box ==> for Wintel only SAPI and HS3 plugins | Speech - Microsoft SAPI - Neospeech - Amazon Echo | Hardware | Haswell Intel iSeries 3 - 16Gb | Pine64 - 2Gb computers | Openpeak Intel Atom SoC tabletop touchscreens (15 HS tabletop tablets) | Touchscreens - Windows embedded POE connected |Light switches - X10,UPB, ZWave and Zigbee | Firewall - PFSense - 2 WAN plus 4 LAN interfaces | Network - Gb managed switches / POE WAP(s) | CCTV - Zoneminder IPHD cams - variety | Audio - Russound - AB8SS | Security - Leviton HAI Omni Pro 2 | Weather - Davis Vantage Vue - MeteoStick - WeeWx | 1-Wire - AAG, Midon and HB | OWFS - Mosquitto - Node Red - Python - RPi Stretch - OpenWRT
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
mcsMQTT Plugin Michael McSharry mcsMQTT (3P) 319 Today 11:20 AM
mcsMQTT and RPi 1-Wire hub Pete mcsMQTT (3P) 30 May 11th, 2018 08:52 AM
mcsMQTT Triggers Michael McSharry mcsMQTT (3P) 15 March 27th, 2018 10:23 PM
mcsMQTT - High CPU Utilization Theron mcsMQTT (3P) 6 March 1st, 2018 01:39 PM
mcsMQTT Plugin Testing Pete mcsMQTT (3P) 2 February 27th, 2018 06:59 PM


All times are GMT -4. The time now is 12:34 PM.


Copyright HomeSeer Technologies, LLC