Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ESP8266 and mosquitto: Wificlientsecure apparently connects but after it aborts #4541

Closed
jayceeZar opened this issue Mar 21, 2018 · 2 comments
Closed

ESP8266 and mosquitto: Wificlientsecure apparently connects but after it aborts #4541

jayceeZar opened this issue Mar 21, 2018 · 2 comments

Comments

@jayceeZar
Copy link

jayceeZar commented Mar 21, 2018
edited
Loading

Platform

  • Hardware: ESP8266 Wemos D1 mini

Settings in IDE

  • Module: Wemos D1 mini
  • Flash Size: 4MB
  • CPU Frequency: 80Mhz
  • Upload Using: SERIAL
  • Upload Speed: 115200

Problem Description

I'm trying to make a secure connection using TLS through the library Wificlientsecure ( With the library WifiClient it works perfectly). The certificates' exchange is done without problems but the connection never success. In mosquitto's broker i see the following:

- New connection from 10.228.54.79 on port 8883.

and some secons after...

- Socket error on client <unknown>, disconnecting.

I don't know why the ESP8266 verifies the broker but after a few seconds it aborts it.

mosquitto.conf:


allow_anonymous false
password_file /etc/mosquitto/conf.d/passwd

listener 8883

cafile /etc/mosquitto/conf.d/Certificates/mqtt_ca.crt
certfile /etc/mosquitto/conf.d/Certificates/mqtt_server.crt
keyfile /etc/mosquitto/conf.d/Certificates/mqtt_server.key

require_certificate true //Despues de cargar los certificados
tls_version tlsv1

I generated the certificates following this procedure:

1) Generate a CA certificate and key
sudo openssl req -new -x509 -days 3650 -extensions v3_ca -keyout mqtt_ca.key -out mqtt_ca.crt

2) Generate a server key
sudo openssl genrsa -out mqtt_server.key 2048

3) Generate a certificate signing request to send to the CA
sudo openssl req -out mqtt_server.csr -key mqtt_server.key -new

4) Send the CSR to the CA, or sign it with your CA key
sudo openssl x509 -req -in mqtt_server.csr -CA mqtt_ca.crt -CAkey mqtt_ca.key -CAcreateserial -out mqtt_server.crt -days 3650

Sketch

#include <Arduino.h>

void setup() {
  Serial.begin(115200);
  Serial.setDebugOutput(true);
  
  delay(10);

  // initialize the pushbutton pin as an input:
  pinMode(buttonPin3, INPUT_PULLUP);
  attachInterrupt(buttonPin3, push3, FALLING);
  pinMode(buttonPin4, INPUT_PULLUP);
  attachInterrupt(buttonPin4, push4, FALLING);

  // Connect to WiFi access point.
  Serial.println(); Serial.println();
  Serial.print("Connecting to ");
  Serial.println(WLAN_SSID);

  WiFi.begin(WLAN_SSID, WLAN_PASS);
  delay(2000);
  
  while (WiFi.status() != WL_CONNECTED) {
    delay(500);
    Serial.print(".");
  }
  Serial.println();

  Serial.println("WiFi connected");
  Serial.println("IP address: "); Serial.println(WiFi.localIP());

  SPIFFS.begin();

  //Load CA's certificate
  File ca = SPIFFS.open("/mqtt_caCert.der", "r");

  if (!ca) {
    Serial.println("Failed to open ca file");
  } else {   
    Serial.println("Success to open ca file");
  }
  if(client.loadCACert(ca,ca.size())) {
    Serial.println("loaded");
  } else {
    Serial.println("not loaded");
  }
 
  firstTime3 = millis();

  // Setup MQTT will to set on/off to "0" when we disconnect
  mqtt.will(AIO_USERNAME "/feeds/0003/onoff", "0", 1, 0); // topic, message, qos, retain

  verifyFingerprint();
}

void loop() {

}

void verifyFingerprint() {

  const char* host = AIO_SERVER;

  Serial.print("Connecting to ");
  Serial.println(host);

  if (! client.connect(host, AIO_SERVERPORT)) {
    Serial.println("Connection failed. Halting execution.");
    while(1);
  }

  if (client.verify(fingerprint, host)) {
    Serial.println("Connection secure.");
  } else {
    Serial.println("Connection insecure! Halting execution.");
    while(1);
  }

}

Debug Messages

Connecting to SHOPFLOOR2

connected with SHOPFLOOR2, channel 6
dhcp client start...
ip:10.228.54.79,mask:255.255.255.0,gw:10.228.54.1

WiFi connected
IP address: 
10.228.54.79
SPIFFSImpl: allocating 512+240+1400=2152 bytes
SPIFFSImpl: mounting fs @100000, size=2fb000, block=2000, page=100
SPIFFSImpl: mount rc=0
Success to open ca file
=== CERTIFICATE ISSUED TO ===
Common Name (CN):		CAMqtt
Organization (O):		
Organizational Unit (OU):	IT
Location (L):			Zaragoza
Country (C):			ES
State (ST):			Zaragoza
Basic Constraints:		CA:TRUE, pathlen:10000
=== CERTIFICATE ISSUED BY ===
Common Name (CN):		CAMqtt
Organization (O):		
Organizational Unit (OU):	IT
Location (L):			Zaragoza
Country (C):			ES
State (ST):			Zaragoza
Not Before:			Fri Mar 16 10:18:32 2018
Not After:			Mon Mar 13 10:18:32 2028
RSA bitsize:			2048
Sig Type:			SHA256
loaded
Connecting to ESZARASSRVIOT001.eu.net
[hostByName] request IP for: ESZARASSRVIOT001.eu.net
[hostByName] Host: ESZARASSRVIOT001.eu.net IP: 10.228.48.94

State:	sending Client Hello (1)
State:	receiving Server Hello (2)
State:	receiving Certificate (11)
=== CERTIFICATE ISSUED TO ===
Common Name (CN):		ESZARASSRVIOT001.eu.net
Organization (O):		
Organizational Unit (OU):	IT
Location (L):			Zaragoza
Country (C):			ES
State (ST):			Zaragoza
=== CERTIFICATE ISSUED BY ===
Common Name (CN):		CAMqtt
Organization (O):		
Organizational Unit (OU):	IT
Location (L):			Zaragoza
Country (C):			ES
State (ST):			Zaragoza
Not Before:			Fri Mar 16 10:21:45 2018
Not After:			Mon Mar 13 10:21:45 2028
RSA bitsize:			2048
Sig Type:			SHA256
=== CERTIFICATE ISSUED TO ===
Common Name (CN):		CAMqtt
Organization (O):		
Organizational Unit (OU):	IT
Location (L):			Zaragoza
Country (C):			ES
State (ST):			Zaragoza
Basic Constraints:		CA:TRUE, pathlen:10000
=== CERTIFICATE ISSUED BY ===
Common Name (CN):		CAMqtt
Organization (O):		
Organizational Unit (OU):	IT
Location (L):			Zaragoza
Country (C):			ES
State (ST):			Zaragoza
Not Before:			Fri Mar 16 10:18:32 2018
Not After:			Mon Mar 13 10:18:32 2028
RSA bitsize:			2048
Sig Type:			SHA256

State:	receiving Server Hello Done (14)
State:	sending Client Key Exchange (16)
State:	sending Finished (16)
State:	receiving Finished (16)
domain name: 'ESZARASSRVIOT001.eu.net
Connection secure.
SPIFFS_close: fd=1
:abort

Thanks in advance. I've tried everything, stuck with this for a week.
@jayceeZar jayceeZar changed the title Arduino and mosquitto: In monitor serial apparently connects and after it ESP8266 and mosquitto: ESP8266 with TLS apparently connects but after it aborts Mar 21, 2018
@jayceeZar jayceeZar changed the title ESP8266 and mosquitto: ESP8266 with TLS apparently connects but after it aborts ESP8266 and mosquitto: Wificlientsecure apparently connects but after it aborts Mar 21, 2018
@devyte
Copy link
Collaborator

devyte commented May 29, 2018

BearSSL is merged in #4273 , with alternate BearSSL::WiFi* classes. Although axtls-based classes are still available and even the default, they are planned for deprecation and then retirement, hence won't be fixed. Any issues with BearSSL-based classes should be reported in new issues.
3rd-party libs should either be ported to use bearssl classes directly (would be good for early testing), or wait until the default is changed in our core from axtls to bearssl.
Closing.

@devyte devyte closed this as completed May 29, 2018
@AminaOti
Copy link

AminaOti commented Jan 10, 2020
edited
Loading

Hi did you find a solution to this as I have the same problem

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@devyte @jayceeZar @AminaOti