search

eclipse / mosquitto

Eclipse Mosquitto - An open source MQTT broker
https://mosquitto.org
Other
8.93k stars 2.37k forks source link

Bridge: Failing SSL handshake on one bridge disconnects other SSL bridges #1536

Open ckrey opened 4 years ago

ckrey commented 4 years ago

Situation:

A broker tries to connect to multiple other brokers via SSL bridges. If one bridge CONNECT fails (simulated in the expample below by specifiying a wrong CA), the broker disconnects other bridges too.

In some cases, openSSL issues errors because functions are not called correctly:

error:140E0197:SSL routines:SSL_shutdown:shutdown while in init error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call

Typical log sequence (br-centos-test2 fails and br-centos-test1 is disconnected too):

1576401899: OpenSSL Error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
1576401899: Socket error on client br-centos-test2, disconnecting.
1576401899: OpenSSL Error: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
1576401899: Socket error on client br-centos-test1, disconnecting.

full log: mosquitto.log

mosquitto.conf:

bind_address 0.0.0.0
port 1883
protocol mqtt
autosave_interval 60
max_inflight_messages 20
max_queued_messages 9000
persistence true
persistence_file mosquitto.db
persistence_location /home/ckrey/
log_dest file /home/ckrey/mosquitto.log
#log_dest stderr
#log_type debug
log_type error
log_type warning
log_type notice
#log_type information
log_type subscribe
log_type unsubscribe
#log_type all
connection_messages true
log_timestamp true

# Bridge to host1
connection br-host1
address test.mosquitto.org:8883
bridge_cafile /home/ckrey/mosquitto.org.crt
topic # in 0
bridge_protocol_version mqttv311
notifications true
remote_clientid br-centos-test1
local_clientid br-centos-test1
cleansession true
start_type automatic
try_private true

# Bridge to host2
connection br-host2
address test.mosquitto.org:8883
bridge_cafile /home/ckrey/letsencrypt.pem
topic testing/# in 0
bridge_protocol_version mqttv311
notifications true
remote_clientid br-centos-test2
local_clientid br-centos-test2
cleansession true
start_type automatic
try_private true
ralight commented 4 years ago

error:140E0197:SSL routines:SSL_shutdown:shutdown while in init error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call

Those should be fixed now (this wasn't a critical error).

The other part... is frustrating. I'm still working on it.

michaeliu commented 4 years ago

Not sure if it is fixed or not by my new PR.