MQTT mutual auth demo "Failed to perform TLS handshake"

Hello forum users,

I need help with demo example MQTT_Mutual_Auth using windows simulator. First I have to say that I ported entire demo to compile with mingw on eclipse. Then followed instructions in “mqtt_broker_setup.txt”, generated all certificates. When testing these certificates with Mosquitto broker, sub, pub, mqtt communication works fine! Now I have implemented certificates into “demo_config.h” and tested with demo. I am getting following errors:

console output:

Attempting to open interface number 1.
Successfully opened interface number 1.
0 2530 [IP-Task]
vDHCPProcess: offer 192.168.1.104
vDHCPProcess: offer 192.168.1.104
1 2630 [IP-Task]
[INFO] [MQTTDemo] [vApplicationIPNetworkEventHook:206] ---------STARTING DEMO---------
2 2630 [IP-Task]
[INFO] [MQTTDemo] [vApplicationIPNetworkEventHook:215]
IP Address: 192.168.1.104
3 2630 [IP-Task]
[INFO] [MQTTDemo] [vApplicationIPNetworkEventHook:218] Subnet Mask: 255.255.255.0
4 2630 [IP-Task]
[INFO] [MQTTDemo] [vApplicationIPNetworkEventHook:221] Gateway Address: 192.168.1.1
5 2630 [IP-Task]
[INFO] [MQTTDemo] [vApplicationIPNetworkEventHook:224] DNS Server Address: 192.168.1.1
6 2632 [DemoTask]
[INFO] [MQTTDemo] [prvConnectToServerWithBackoffRetries:662] Creating a TLS connection to 192.168.1.22:8883.
7 3334 [DemoTask]
[ERROR] [TlsTransport] [tlsHandshake:553] Failed to perform TLS handshake: mbedTLSError= X509 - Certificate verification failed, e.g. CRL, CA or signature check failed : .
8 3335 [DemoTask]
[WARN] [MQTTDemo] [prvConnectToServerWithBackoffRetries:688] Connection to the broker failed. Retrying connection with backoff and jitter.
9 3783 [DemoTask]
[INFO] [MQTTDemo] [prvConnectToServerWithBackoffRetries:662] Creating a TLS connection to 192.168.1.22:8883.
10 3933 [DemoTask]
[ERROR] [TlsTransport] [tlsHandshake:553] Failed to perform TLS handshake: mbedTLSError= X509 - Certificate verification failed, e.g. CRL, CA or signature check failed : .
11 3934 [DemoTask]
[WARN] [MQTTDemo] [prvConnectToServerWithBackoffRetries:688] Connection to the broker failed. Retrying connection with backoff and jitter.
12 4203 [DemoTask]
[INFO] [MQTTDemo] [prvConnectToServerWithBackoffRetries:662] Creating a TLS connection to 192.168.1.22:8883.
13 4333 [DemoTask]
[ERROR] [TlsTransport] [tlsHandshake:553] Failed to perform TLS handshake: mbedTLSError= X509 - Certificate verification failed, e.g. CRL, CA or signature check failed : .
14 4334 [DemoTask]
[WARN] [MQTTDemo] [prvConnectToServerWithBackoffRetries:688] Connection to the broker failed. Retrying connection with backoff and jitter.
15 4761 [DemoTask]
[INFO] [MQTTDemo] [prvConnectToServerWithBackoffRetries:662] Creating a TLS connection to 192.168.1.22:8883.
16 4934 [DemoTask]
[ERROR] [TlsTransport] [tlsHandshake:553] Failed to perform TLS handshake: mbedTLSError= X509 - Certificate verification failed, e.g. CRL, CA or signature check failed : .
17 4934 [DemoTask]
[WARN] [MQTTDemo] [prvConnectToServerWithBackoffRetries:688] Connection to the broker failed. Retrying connection with backoff and jitter.
18 6646 [DemoTask]
[INFO] [MQTTDemo] [prvConnectToServerWithBackoffRetries:662] Creating a TLS connection to 192.168.1.22:8883.
19 6833 [DemoTask]
[ERROR] [TlsTransport] [tlsHandshake:553] Failed to perform TLS handshake: mbedTLSError= X509 - Certificate verification failed, e.g. CRL, CA or signature check failed : .
20 6833 [DemoTask]
[WARN] [MQTTDemo] [prvConnectToServerWithBackoffRetries:688] Connection to the broker failed. Retrying connection with backoff and jitter.
21 11136 [DemoTask]
[INFO] [MQTTDemo] [prvConnectToServerWithBackoffRetries:662] Creating a TLS connection to 192.168.1.22:8883.
vAssertCalled( …\DemoTasks\MutualAuthMQTTExample.c, 538

mosquito broker:
1641149747: mosquitto version 2.0.14 starting
1641149747: Config loaded from mosquittoFREERTOS.conf.
1641149747: Opening ipv6 listen socket on port 8883.
1641149747: Opening ipv4 listen socket on port 8883.
1641149747: mosquitto version 2.0.14 running
1641149777: New connection from 192.168.1.104:14084 on port 8883.
1641149777: OpenSSL Error[0]: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
1641149777: Client disconnected: protocol error.
1641149777: New connection from 192.168.1.104:11234 on port 8883.
1641149777: OpenSSL Error[0]: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
1641149777: Client disconnected: protocol error.
1641149777: New connection from 192.168.1.104:18893 on port 8883.
1641149777: OpenSSL Error[0]: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
1641149777: Client disconnected: protocol error.
1641149778: New connection from 192.168.1.104:14054 on port 8883.
1641149778: OpenSSL Error[0]: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
1641149778: Client disconnected: protocol error.
1641149780: New connection from 192.168.1.104:21578 on port 8883.
1641149781: OpenSSL Error[0]: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
1641149781: Client disconnected: protocol error.
1641149782: New connection from 192.168.1.104:31607 on port 8883.
1641149782: OpenSSL Error[0]: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
1641149782: Client disconnected: protocol error.

Can you please suggest in which direction to proceed to overcome this issue?

rum

When testing these certificates with Mosquitto broker, sub, pub, mqtt communication works fine!

What were you using as the client when the connection was successful? The MQTT mutual auth demo, or something else entirely?

Now I have implemented certificates into “demo_config.h” and tested with demo. I am getting following errors

It could just be the format of the certificate - how did you convert it for inclusion into the header file.

NOTE: Adding certificates into the header file is for evaluation convenience only. Don’t use real production certificates in this way - they should be stored securely in something like a secure element or enclave.

  1. as a client I was using mosquitto_sub.exe, mosquitto_pub.exe

  2. I have simply followed example in “demo_config.h” , here is fraction of what I use

#define democonfigROOT_CA_PEM
“-----BEGIN CERTIFICATE-----\n”
“MIID6TCCAtGgAwIBAgIUaWlQIcncLfgb3t0VSd3wXOPDZDEwDQYJKoZIhvcNAQEL\n”


“-----END CERTIFICATE-----\n”

there is also backslash (line continuation) at the end of each line (does not show in post)

Curious as you have already shown the certificates to be valid.

So I can familiarize myself with the files - is this the demo you are using https://freertos.org/mqtt/mutual-authentication-mqtt-example.html, which is for this build project (before you converted to MingW): https://github.com/FreeRTOS/FreeRTOS/tree/main/FreeRTOS-Plus/Demo/coreMQTT_Windows_Simulator/MQTT_Mutual_Auth

Exactly this demo application.

Note:
I debug this application running in virtual machine. Mosquitto broker is running on host machine.

Well it looks like I messed up the formatting even if you didn’t :grinning: - so far I have this error:

7 2022 [DemoTask] [ERROR] [TlsTransport] [setRootCa:263] Failed to parse server root CA certificate: mbedTLSError= X509 - Format not recognized as DER or PEM : <No-Low-Level-Code>.
8 2022 [DemoTask] [WARN] [MQTTDemo] [prvConnectToServerWithBackoffRetries:689] Connection to the broker failed. Retrying connection with backoff and jitter.
9 2382 [DemoTask] [INFO] [MQTTDemo] [prvConnectToServerWithBackoffRetries:664] Creating a TLS connection to 192.168.0.100:8883.

After regenerating all the keys I get:

13 4601 [DemoTask] [ERROR] [TlsTransport] [tlsHandshake:552] Failed to perform TLS handshake: mbedTLSError= SSL - A fatal alert message was received from our peer : <No-Low-Level-Code>.
14 4601 [DemoTask] [WARN] [MQTTDemo] [prvConnectToServerWithBackoffRetries:689] Connection to the broker failed. Retrying connection with backoff and jitter.
15 6306 [DemoTask] [INFO] [MQTTDemo] [prvConnectToServerWithBackoffRetries:664] Creating a TLS connection to 192.168.0.100:8883.

and on the server side:

1641160618: mosquitto version 1.4.11 (build date 20/02/2017 23:24:29.40) starting
1641160618: Config loaded from mosquitto.conf.
1641160618: Opening ipv6 listen socket on port 8883.
1641160618: Opening ipv4 listen socket on port 8883.
1641160631: New connection from 192.168.0.27 on port 8883.
1641160632: OpenSSL Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
1641160632: Socket error on client <unknown>, disconnecting.
1641160633: New connection from 192.168.0.27 on port 8883.
1641160633: OpenSSL Error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
1641160633: Socket error on client <unknown>, disconnecting.

so a bit different to yours. I’ve not verified I can connect to the broker using the mosquitto clients yet though…

…getting the same error message from the broker when I try connecting from mqtt.fx too.

Thank you Richard that you are trying to help me out. Yes, your errors are different but it is in handshake mechanism, same like my case. I wonder how to enable printout of detailed debug messages from mbedtls?

I included
#include “debug.h”

then called
mbedtls_debug_set_threshold(level);

then I need to provide “user” function through “mbedtls_ssl_conf_dbg” but I don’t find any example how to map it to FREERTOS vLoggingPrintf.

My next step is to create a successful connection from a third party tool before I do so from the FreeRTOS application. I’ve not used mosquitto_sub.exe and mosquitto_pub.exe before but will look into doing so - I normally use mqtt.fx. In the mean time there will be more people in the office today after the new year so I will also ask someone else to try the same.

Here is my status. I regenerated certificates again. It is not clear to me what should I use for “Common Name” though. In all three certificates I specify different value.
Mosquitto broker running on host PC, Mosquitto_pub on virtual machine (client name is ULSc-board). Publish is successful, on broker I get:
image

for “pub” I use switch --insecure, if I remove this switch and repeat “pub” operation, I get on broker:
image

in broker configuration is commented
#tls_version tlsv1.2
#require_certificate true

next I implement certificates to Demo application and on broker I get
image

on debug console I get

I am not sure how to proceed from this point…
How to make this demo work?

Hi @rum ,

Can you check if democonfigDISABLE_SNI in your project is set to pdTRUE? For local Mosquitto server, this option needs to be set to pdTRUE to disable SNI check. Otherwise the TLS handshake will fail to verify the certificate.

I set

#define democonfigDISABLE_SNI ( pdTRUE )

and demo application WORKS!!!

I was reading many times text accompanying this define and did not realized that setting true it actually disables the option.

Thank you tianmc1