Bridge brokers using TLS with IP - problem

[piotrszczypta-a4bee]

Hello, I want to describe a problem which is when I am using Bridge brokers TLS protected and define address another broker by IP. Two brokers working as docker services.

Problem is only when that 3 points are in the same moment:

• connect to mqtt broker by bridge brokers
• using TLS
• using IP

I added IP to TLS certificate main broker and CN on client broker and excluded every situation that could be suspicious.

So when it works:

• connect to mqtt broker by bridge brokers using DNS with TLS
• connect to mqtt broker by bridge brokers using IP without TLS
• connect to mqtt broker by another client (mqtt-explorer, node-red mqtt client) using IP with TLS

Also it didn't work when 2 brokers were on the same machine.

Logs what I have on client broker: Logs what I have on main broker:

The config what I am using on client broker:

It seems to be a bug probably.

Thanks!

[ralight]

An important part of using certificates is to verify that the subject of the certificate matches the hostname you are connecting to. If they don't match, the connection should not succeed. I imagine that your certificate does not have 10.10.15.158 as its subject, but a hostname instead - this is why it works with the hostname.

There are two solutions. The best one is to add the IP address to your certificate as an IPv4 subjectAltName address, along side a subjectAltName hostname. That allows your certificate to match against either the address or the hostname.

If that route isn't available, then you can set bridge_insecure true for your bridge, and the hostname/IP will not be checked. Note that in this case, you may not get protection against man in the middle attacks, so it is not recommended.

[piotrszczypta-a4bee]

Hello, thanks for the answer, but as I mentioned I added my IP to server certificate. When I check cert using

openssl x509 -in broker-1.pem -purpose -noout -text

Fragment about DNS and IP I am using looks like this:

        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:my-host.domain.lan, DNS:mqttbroker, DNS:my-host, IP Address:10.10.15.158

(I am using multi-domains). Also I triple check that, there is no problem when I am using the same client certificates in another MQTT Clients (Mqtt explorer, node-red mqtt client using IP when I am connecting).

Tryied the same scenario on complitelly another machine and is exactly the same. Problem only occurs in mqtt bridge connections.

But like you suggested I wanted to try bridge_insecure true option, but the strange part is that, it also didn't work (the same behavior on output).

[ralight]

Ah, sorry, I clearly didn't read your first post properly. I'll see if I can reproduce this.

[ralight]

I've tried to reproduce this using a certificates generated using https://github.com/owntracks/tools/blob/master/TLS/generate-CA.sh

I used a broker config like this:

allow_anonymous true

listener 8883
log_type all

certfile server.crt
keyfile server.key

And the bridge config:

listener 1884

connection ip
address 127.0.0.1:8883
bridge_cafile ca.crt
topic asdf in
log_type all

I started the broker then the bridge, and everything worked just fine.

Could you try the same and see if it works for you?

[gabrielfaleiro]

Hi @ralight. I see a similar connection problem. In your test, if you use invalid certificates (invalid CN in the server certificate), by adding the bridge_insecure true I'm not removing the error in the connection.

I'm seeing the folloing error: OpenSSL Error[0]: error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed

The log does not change no matter what value we set on bridge_insecure

Thanks in advance for your time!

[gabrielfaleiro]

BTW, I'm using mosquitto version 2.0.18