Problem with MQTT SSL mutual authentication (GIT8266O-331)

[orakso]

Environment

• Development Kit: ESP8266 8Megabit
• IDF version: ESP8266_RTOS_SDK leatest eb9c32768893a2c6da701591a3d85d22b38ab98c Tue Nov 26 19:11:50 2019
• Development Env: Make
• Operating System: Windows
• Power Supply: external 3.3V

Problem Description

I have problem connecting esp8266 with RabbitMQ mqtt broker over ssl with mutual auth.

I have 3 files with certificates in PEM format:

ca_certificate.pem: -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- , client_certificate.pem: -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- , private_key.pem: -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----

I'm using 'ssl_mutual_auth' example from ESP8266_RTOS_SDK.

MQTT without ssl is working. MQTT with ssl (in this case I use only ca_certificate) - not mutual, is also working.

MQTT with ssl and mutual authentication is not working. Broker is configured correctly for sure. I recive 'esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x50' error during connection attempt. It seems, that memory is not a problem.

What is the problem? What I'm doing wrong?

Code to reproduce this issue

include

include

include

include

include "esp_wifi.h"

include "esp_system.h"

include "nvs_flash.h"

include "esp_event_loop.h"

include "freertos/FreeRTOS.h"

include "freertos/task.h"

include "freertos/semphr.h"

include "freertos/queue.h"

include "freertos/event_groups.h"

include "lwip/sockets.h"

include "lwip/dns.h"

include "lwip/netdb.h"

include "esp_log.h"

include "mqtt_client.h"

static const char *TAG = "MQTTS_EXAMPLE";

static EventGroupHandle_t wifi_event_group; const static int CONNECTED_BIT = BIT0;

extern const uint8_t ca_certificate_pem_start[] asm("_binary_ca_certificate_pem_start"); extern const uint8_t ca_certificate_pem_end[] asm("_binary_ca_certificate_pem_end"); extern const uint8_t client_certificate_pem_start[] asm("_binary_client_certificate_pem_start"); extern const uint8_t client_certificate_pem_end[] asm("_binary_client_certificate_pem_end"); extern const uint8_t private_key_pem_start[] asm("_binary_private_key_pem_start"); extern const uint8_t private_key_pem_end[] asm("_binary_private_key_pem_end");

static esp_err_t wifi_event_handler(void ctx, system_event_t event) { / For accessing reason codes in case of disconnection / system_event_info_t *info = &event->event_info;

switch (event->event_id) {
    case SYSTEM_EVENT_STA_START:
        esp_wifi_connect();
        break;
    case SYSTEM_EVENT_STA_GOT_IP:
        xEventGroupSetBits(wifi_event_group, CONNECTED_BIT);

        break;
    case SYSTEM_EVENT_STA_DISCONNECTED:
        ESP_LOGE(TAG, "Disconnect reason : %d", info->disconnected.reason);
        if (info->disconnected.reason == WIFI_REASON_BASIC_RATE_NOT_SUPPORT) {
            /*Switch to 802.11 bgn mode */
            esp_wifi_set_protocol(ESP_IF_WIFI_STA, WIFI_PROTOCAL_11B | WIFI_PROTOCAL_11G | WIFI_PROTOCAL_11N);
        }
        esp_wifi_connect();
        xEventGroupClearBits(wifi_event_group, CONNECTED_BIT);
        break;
    default:
        break;
}
return ESP_OK;

}

static void wifi_init(void) { tcpip_adapter_init(); wifi_event_group = xEventGroupCreate(); ESP_ERROR_CHECK(esp_event_loop_init(wifi_event_handler, NULL)); wifi_init_config_t cfg = WIFI_INIT_CONFIG_DEFAULT(); ESP_ERROR_CHECK(esp_wifi_init(&cfg)); ESP_ERROR_CHECK(esp_wifi_set_storage(WIFI_STORAGE_RAM)); wifi_config_t wifi_config = { .sta = { .ssid = CONFIG_WIFI_SSID, .password = CONFIG_WIFI_PASSWORD, }, }; ESP_ERROR_CHECK(esp_wifi_set_mode(WIFI_MODE_STA)); ESP_ERROR_CHECK(esp_wifi_set_config(ESP_IF_WIFI_STA, &wifi_config)); ESP_LOGI(TAG, "start the WIFI SSID:[%s]", CONFIG_WIFI_SSID); ESP_ERROR_CHECK(esp_wifi_start()); ESP_LOGI(TAG, "Waiting for wifi"); xEventGroupWaitBits(wifi_event_group, CONNECTED_BIT, false, true, portMAX_DELAY); }

static esp_err_t mqtt_event_handler(esp_mqtt_event_handle_t event) { esp_mqtt_client_handle_t client = event->client; int msg_id; // your_context_t *context = event->context; switch (event->event_id) { case MQTT_EVENT_CONNECTED: ESP_LOGI(TAG, "MQTT_EVENT_CONNECTED"); msg_id = esp_mqtt_client_subscribe(client, "/topic/qos0", 0); ESP_LOGI(TAG, "sent subscribe successful, msg_id=%d", msg_id);

        msg_id = esp_mqtt_client_subscribe(client, "/topic/qos1", 1);
        ESP_LOGI(TAG, "sent subscribe successful, msg_id=%d", msg_id);

        msg_id = esp_mqtt_client_subscribe(client, "topic.test", 2);
        ESP_LOGI(TAG, "sent subscribe successful, msg_id=%d", msg_id);

        msg_id = esp_mqtt_client_unsubscribe(client, "/topic/qos1");
        ESP_LOGI(TAG, "sent unsubscribe successful, msg_id=%d", msg_id);
        break;
    case MQTT_EVENT_DISCONNECTED:
        ESP_LOGI(TAG, "MQTT_EVENT_DISCONNECTED");
        break;

    case MQTT_EVENT_SUBSCRIBED:
        ESP_LOGI(TAG, "MQTT_EVENT_SUBSCRIBED, msg_id=%d", event->msg_id);
        msg_id = esp_mqtt_client_publish(client, event->topic, "data", 0, 0, 0);
        ESP_LOGI(TAG, "sent publish successful, msg_id=%d", msg_id);
        break;
    case MQTT_EVENT_UNSUBSCRIBED:
        ESP_LOGI(TAG, "MQTT_EVENT_UNSUBSCRIBED, msg_id=%d", event->msg_id);
        break;
    case MQTT_EVENT_PUBLISHED:
        ESP_LOGI(TAG, "MQTT_EVENT_PUBLISHED, msg_id=%d", event->msg_id);
        break;
    case MQTT_EVENT_DATA:
        ESP_LOGI(TAG, "MQTT_EVENT_DATA");
        printf("TOPIC=%.*s\r\n", event->topic_len, event->topic);
        printf("DATA=%.*s\r\n", event->data_len, event->data);
        break;
    case MQTT_EVENT_ERROR:
        ESP_LOGI(TAG, "MQTT_EVENT_ERROR");
        break;
}
return ESP_OK;

}

static void mqtt_app_start(void) { const esp_mqtt_client_config_t mqtt_cfg = { .uri = "mqtts://server_adres", .port = 8883, .username = "device_nr", .password = "device_pass", .event_handle = mqtt_event_handler, .cert_pem = (const char )ca_certificate_pem_start, .client_cert_pem = (const char )client_certificate_pem, .client_key_pem = (const char *)private_key_pem_start, };

ESP_LOGI(TAG, "[APP] Free memory: %d bytes", esp_get_free_heap_size());
esp_mqtt_client_handle_t client = esp_mqtt_client_init(&mqtt_cfg);
esp_mqtt_client_start(client);

while (1) {
    esp_mqtt_client_publish(client, "topic.test", "hello", 0, 0, 0);
    vTaskDelay(10000 / portTICK_RATE_MS);

}

}

void app_main() { ESP_LOGI(TAG, "[APP] Startup.."); ESP_LOGI(TAG, "[APP] Free memory: %d bytes", esp_get_free_heap_size()); ESP_LOGI(TAG, "[APP] IDF version: %s", esp_get_idf_version());

esp_log_level_set("*", ESP_LOG_INFO);
esp_log_level_set("MQTT_CLIENT", ESP_LOG_VERBOSE);
esp_log_level_set("TRANSPORT_TCP", ESP_LOG_VERBOSE);
esp_log_level_set("TRANSPORT_SSL", ESP_LOG_VERBOSE);
esp_log_level_set("TRANSPORT", ESP_LOG_VERBOSE);
esp_log_level_set("OUTBOX", ESP_LOG_VERBOSE);

nvs_flash_init();
wifi_init();
mqtt_app_start();

}

Debug Logs

ets Jan 8 2013,rst cause:1, boot mode:(3,0)

load 0x40100000, len 7188, room 16 tail 4 chksum 0xbe load 0x3ffe8408, len 24, room 4 tail 4 chksum 0x07 load 0x3ffe8420, len 3544, room 4 tail 4 chksum 0x19 I (43) boot: ESP-IDF v3.2-283-geb9c3276 2nd stage bootloader I (44) boot: compile time 02:11:05 I (44) boot: SPI Speed : 40MHz I (50) boot: SPI Mode : DOUT I (56) boot: SPI Flash Size : 1MB I (62) boot: Partition Table: I (68) boot: ## Label Usage Type ST Offset Length I (79) boot: 0 nvs WiFi data 01 02 00009000 00006000 I (91) boot: 1 phy_init RF data 01 01 0000f000 00001000 I (102) boot: 2 factory factory app 00 00 00010000 000f0000 I (114) boot: End of partition table I (120) esp_image: segment 0: paddr=0x00010010 vaddr=0x40210010 size=0x65b3c (4165 72) map 0x40210010: _stext at ??:?

I (316) esp_image: segment 1: paddr=0x00075b54 vaddr=0x40275b4c size=0x131a4 ( 782 44) map I (351) esp_image: segment 2: paddr=0x00088d00 vaddr=0x3ffe8000 size=0x005f0 ( 15 20) load I (352) esp_image: segment 3: paddr=0x000892f8 vaddr=0x40100000 size=0x00a50 ( 26 40) load I (363) esp_image: segment 4: paddr=0x00089d50 vaddr=0x40100a50 size=0x0575c ( 223 64) load I (385) boot: Loaded app from partition at offset 0x10000 I (425) system_api: Base MAC address is not set, read default base MAC address fro m EFUSE I (433) system_api: Base MAC address is not set, read default base MAC address fro m EFUSE phy_version: 1155.0, 6cb3053, Nov 11 2019, 17:31:08, RTOS new I (494) phy_init: phy ver: 1155_0 I (497) reset_reason: RTC reset 1 wakeup 0 store 0, reason is 1 I (499) MQTTS_EXAMPLE: [APP] Startup.. I (504) MQTTS_EXAMPLE: [APP] Free memory: 97872 bytes I (513) MQTTS_EXAMPLE: [APP] IDF version: v3.2-283-geb9c3276 I (545) MQTTS_EXAMPLE: start the WIFI SSID:[9543apu2] I (549) MQTTS_EXAMPLE: Waiting for wifi I (3212) wifi: state: 0 -> 2 (b0) I (3216) wifi: state: 2 -> 3 (0) I (3242) wifi: state: 3 -> 5 (10) I (3245) wifi: pm start, type: 2 I (4265) event: sta ip: 192.168.43.173, mask: 255.255.255.0, gw: 192.168.43.1 I (4270) MQTTS_EXAMPLE: [APP] Free memory: 70456 bytes I (4274) system_api: Base MAC address is not set, read default base MAC address fr om EFUSE I (4628) mbedtls: ssl_tls.c:8084 => handshake

I (4632) mbedtls: ssl_cli.c:3510 client state: 0

I (4635) mbedtls: ssl_tls.c:2755 => flush output

I (4639) mbedtls: ssl_tls.c:2767 <= flush output

I (4648) mbedtls: ssl_cli.c:3510 client state: 1

I (4656) mbedtls: ssl_tls.c:2755 => flush output

I (4664) mbedtls: ssl_tls.c:2767 <= flush output

I (4673) mbedtls: ssl_cli.c:774 => write client hello

I (4704) mbedtls: ssl_tls.c:3184 => write handshake message

I (4712) mbedtls: ssl_tls.c:3343 => write record

I (4738) mbedtls: ssl_tls.c:2755 => flush output

I (4742) mbedtls: ssl_tls.c:2774 message length: 254, out_left: 254

I (4751) mbedtls: ssl_tls.c:2779 ssl->f_send() returned 254 (-0xffffff02)

I (4756) mbedtls: ssl_tls.c:2807 <= flush output

I (4764) mbedtls: ssl_tls.c:3476 <= write record

I (4772) mbedtls: ssl_tls.c:3320 <= write handshake message

I (4782) mbedtls: ssl_cli.c:1106 <= write client hello

I (4791) mbedtls: ssl_cli.c:3510 client state: 2

I (4799) mbedtls: ssl_tls.c:2755 => flush output

I (4808) mbedtls: ssl_tls.c:2767 <= flush output

I (4816) mbedtls: ssl_cli.c:1499 => parse server hello

I (4826) mbedtls: ssl_tls.c:4311 => read record

I (4836) mbedtls: ssl_tls.c:2536 => fetch input

I (4842) mbedtls: ssl_tls.c:2697 in_left: 0, nb_want: 5

I (4852) mbedtls: ssl_tls.c:2721 in_left: 0, nb_want: 5

I (4861) mbedtls: ssl_tls.c:2722 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)

I (4874) mbedtls: ssl_tls.c:2742 <= fetch input

I (4883) mbedtls: ssl_tls.c:2536 => fetch input

I (4890) mbedtls: ssl_tls.c:2697 in_left: 5, nb_want: 92

I (4900) mbedtls: ssl_tls.c:2721 in_left: 5, nb_want: 92

I (4909) mbedtls: ssl_tls.c:2722 ssl->f_recv(_timeout)() returned 87 (-0xffffffa9)

I (4922) mbedtls: ssl_tls.c:2742 <= fetch input

I (4941) mbedtls: ssl_tls.c:4385 <= read record

I (4953) mbedtls: ssl_cli.c:1789 server hello, total extension length: 11

I (4958) mbedtls: ssl_cli.c:1978 <= parse server hello

I (4962) mbedtls: ssl_cli.c:3510 client state: 3

I (4970) mbedtls: ssl_tls.c:2755 => flush output

I (4978) mbedtls: ssl_tls.c:2767 <= flush output

I (4986) mbedtls: ssl_tls.c:5655 => parse certificate

I (4996) mbedtls: ssl_tls.c:4311 => read record

I (5004) mbedtls: ssl_tls.c:2536 => fetch input

I (5012) mbedtls: ssl_tls.c:2697 in_left: 0, nb_want: 5

I (5022) mbedtls: ssl_tls.c:2721 in_left: 0, nb_want: 5

I (5031) mbedtls: ssl_tls.c:2722 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)

I (5044) mbedtls: ssl_tls.c:2742 <= fetch input

I (5053) mbedtls: ssl_tls.c:2536 => fetch input

I (5060) mbedtls: ssl_tls.c:2697 in_left: 5, nb_want: 1481

I (5073) mbedtls: ssl_tls.c:2721 in_left: 5, nb_want: 1481

I (5080) mbedtls: ssl_tls.c:2722 ssl->f_recv(_timeout)() returned 1476 (-0xfffffa3 c)

I (5093) mbedtls: ssl_tls.c:2742 <= fetch input

I (5233) mbedtls: ssl_tls.c:4385 <= read record

I (5424) mbedtls: ssl_tls.c:5863 <= parse certificate

I (5428) mbedtls: ssl_cli.c:3510 client state: 4

I (5432) mbedtls: ssl_tls.c:2755 => flush output

I (5437) mbedtls: ssl_tls.c:2767 <= flush output

I (5445) mbedtls: ssl_cli.c:2336 => parse server key exchange

I (5456) mbedtls: ssl_tls.c:4311 => read record

I (5464) mbedtls: ssl_tls.c:2536 => fetch input

I (5472) mbedtls: ssl_tls.c:2697 in_left: 0, nb_want: 5

I (5482) mbedtls: ssl_tls.c:2721 in_left: 0, nb_want: 5

I (5491) mbedtls: ssl_tls.c:2722 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)

I (5503) mbedtls: ssl_tls.c:2742 <= fetch input

I (5513) mbedtls: ssl_tls.c:2536 => fetch input

I (5522) mbedtls: ssl_tls.c:2697 in_left: 5, nb_want: 406

I (5530) mbedtls: ssl_tls.c:2721 in_left: 5, nb_want: 406

I (5540) mbedtls: ssl_tls.c:2722 ssl->f_recv(_timeout)() returned 401 (-0xfffffe6f )

I (5553) mbedtls: ssl_tls.c:2742 <= fetch input

I (5596) mbedtls: ssl_tls.c:4385 <= read record

I (5634) mbedtls: ssl_cli.c:2044 ECDH curve: secp521r1

I (5648) mbedtls: ssl_cli.c:2278 Server used SignatureAlgorithm 1

I (5653) mbedtls: ssl_cli.c:2279 Server used HashAlgorithm 6

I (5820) mbedtls: ssl_cli.c:2664 <= parse server key exchange

I (5825) mbedtls: ssl_cli.c:3510 client state: 5

I (5828) mbedtls: ssl_tls.c:2755 => flush output

I (5834) mbedtls: ssl_tls.c:2767 <= flush output

I (5843) mbedtls: ssl_cli.c:2697 => parse certificate request

I (5853) mbedtls: ssl_tls.c:4311 => read record

I (5861) mbedtls: ssl_tls.c:2536 => fetch input

I (5869) mbedtls: ssl_tls.c:2697 in_left: 0, nb_want: 5

I (5879) mbedtls: ssl_tls.c:2721 in_left: 0, nb_want: 5

I (5888) mbedtls: ssl_tls.c:2722 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)

I (5901) mbedtls: ssl_tls.c:2742 <= fetch input

I (5910) mbedtls: ssl_tls.c:2536 => fetch input

I (5917) mbedtls: ssl_tls.c:2697 in_left: 5, nb_want: 59

I (5927) mbedtls: ssl_tls.c:2721 in_left: 5, nb_want: 59

I (5936) mbedtls: ssl_tls.c:2722 ssl->f_recv(_timeout)() returned 54 (-0xffffffca)

I (5949) mbedtls: ssl_tls.c:2742 <= fetch input

I (5963) mbedtls: ssl_tls.c:4385 <= read record

I (5969) mbedtls: ssl_cli.c:2846 <= parse certificate request

I (5976) mbedtls: ssl_cli.c:3510 client state: 6

I (5984) mbedtls: ssl_tls.c:2755 => flush output

I (5993) mbedtls: ssl_tls.c:2767 <= flush output

I (6001) mbedtls: ssl_cli.c:2856 => parse server hello done

I (6011) mbedtls: ssl_tls.c:4311 => read record

I (6019) mbedtls: ssl_tls.c:2536 => fetch input

I (6027) mbedtls: ssl_tls.c:2697 in_left: 0, nb_want: 5

I (6037) mbedtls: ssl_tls.c:2721 in_left: 0, nb_want: 5

I (6046) mbedtls: ssl_tls.c:2722 ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)

I (6059) mbedtls: ssl_tls.c:2742 <= fetch input

I (6068) mbedtls: ssl_tls.c:2536 => fetch input

I (6076) mbedtls: ssl_tls.c:2697 in_left: 5, nb_want: 9

I (6085) mbedtls: ssl_tls.c:2721 in_left: 5, nb_want: 9

I (6094) mbedtls: ssl_tls.c:2722 ssl->f_recv(_timeout)() returned 4 (-0xfffffffc)

I (6107) mbedtls: ssl_tls.c:2742 <= fetch input

I (6117) mbedtls: ssl_tls.c:4385 <= read record

I (6124) mbedtls: ssl_cli.c:2886 <= parse server hello done

I (6134) mbedtls: ssl_cli.c:3510 client state: 7

I (6142) mbedtls: ssl_tls.c:2755 => flush output

I (6150) mbedtls: ssl_tls.c:2767 <= flush output

I (6159) mbedtls: ssl_tls.c:5329 => write certificate

I (6192) mbedtls: ssl_tls.c:3184 => write handshake message

I (6199) mbedtls: ssl_tls.c:3343 => write record

I (6272) mbedtls: ssl_tls.c:2755 => flush output

I (6276) mbedtls: ssl_tls.c:2774 message length: 758, out_left: 758

I (6284) mbedtls: ssl_tls.c:2779 ssl->f_send() returned 758 (-0xfffffd0a)

I (6290) mbedtls: ssl_tls.c:2807 <= flush output

I (6298) mbedtls: ssl_tls.c:3476 <= write record

I (6307) mbedtls: ssl_tls.c:3320 <= write handshake message

I (6317) mbedtls: ssl_tls.c:5433 <= write certificate

I (6326) mbedtls: ssl_cli.c:3510 client state: 8

I (6334) mbedtls: ssl_tls.c:2755 => flush output

I (6344) mbedtls: ssl_tls.c:2767 <= flush output

I (6351) mbedtls: ssl_cli.c:2898 => write client key exchange

I (10469) mbedtls: ssl_tls.c:3184 => write handshake message

I (10475) mbedtls: ssl_tls.c:3343 => write record

I (10491) mbedtls: ssl_tls.c:2755 => flush output

I (10494) mbedtls: ssl_tls.c:2774 message length: 143, out_left: 143

I (10504) mbedtls: ssl_tls.c:2779 ssl->f_send() returned 143 (-0xffffff71)

I (10509) mbedtls: ssl_tls.c:2807 <= flush output

I (10517) mbedtls: ssl_tls.c:3476 <= write record

I (10526) mbedtls: ssl_tls.c:3320 <= write handshake message

I (10536) mbedtls: ssl_cli.c:3172 <= write client key exchange

I (10546) mbedtls: ssl_cli.c:3510 client state: 9

I (10554) mbedtls: ssl_tls.c:2755 => flush output

I (10563) mbedtls: ssl_tls.c:2767 <= flush output

I (10572) mbedtls: ssl_cli.c:3224 => write certificate verify

I (10582) mbedtls: ssl_tls.c:628 => derive keys

I (10647) mbedtls: ssl_tls.c:1116 <= derive keys

I (10650) mbedtls: ssl_tls.c:1226 => calc verify sha384

I (10659) mbedtls: ssl_tls.c:1232 <= calc verify

E (14287) MQTT_CLIENT: Client has not connected I (15801) mbedtls: ssl_tls.c:3184 => write handshake message

I (15807) mbedtls: ssl_tls.c:3343 => write record

I (15834) mbedtls: ssl_tls.c:2755 => flush output

I (15838) mbedtls: ssl_tls.c:2774 message length: 269, out_left: 269

I (15843) mbedtls: ssl_tls.c:2779 ssl->f_send() returned -80 (-0x0050)

W (15851) mbedtls: ssl_tls.c:3472 mbedtls_ssl_flush_output() returned -80 (-0x0050 )

W (15864) mbedtls: ssl_tls.c:3315 ssl_write_record() returned -80 (-0x0050)

W (15876) mbedtls: ssl_cli.c:3379 mbedtls_ssl_write_handshake_msg() returned -80 ( -0x0050)

I (15890) mbedtls: ssl_tls.c:8094 <= handshake

E (15898) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x50 I (15908) esp-tls-mbedtls: Certificate verified. E (15917) esp-tls: Failed to open new connection E (15925) TRANS_SSL: Failed to open a new connection E (15935) MQTT_CLIENT: Error transport connect I (15941) MQTT_CLIENT: Reconnect after 10000 ms I (15949) MQTTS_EXAMPLE: MQTT_EVENT_DISCONNECTED ...

[bbinet]

@OskOnu Have you been able to fix this issue?

I'm having the exactly same error:

esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x50

Any clue to fix it?

[orakso]

@OskOnu Have you been able to fix this issue?

I'm having the exactly same error:

esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x50

Any clue to fix it?

What broker do you use?

[bbinet]

@OskOnu I'm using vernemq broker.

[orakso]

@bbinet First of all I would check my SSL certificate configuration. Namely CN or Common Name should be the address to your server, according to this: https://support.dnsimple.com/articles/what-is-common-name . Also make sure, that broker has correct permissions to access the certification files.

[bbinet]

@OskOnu I've already checked my SSL certificate configuration, as I'm able to connect successfully with the same SSL certificates using mosquitto_pub/mosquitto_sub utilities, so the issue comes from the ESP side.

FYI, you can find more details of my setup here: https://github.com/espressif/esp-mqtt/issues/125#issuecomment-615916384

[bbinet]

@OskOnu This is now working: the "issue" seems to occur only when the client key is 4096-bit. I've generated a new client key (2048-bit) and everything works fine!

[orakso]

@bbinet I still have problem sometimes. How do you generate your certificate?

[bbinet]

I was using a home-made script based on openssl, but i plan to move to https://github.com/OpenVPN/easy-rsa

But on my side, I'm using an esp32 which is more powerful than the esp8266, so this may explain you still have problem sometimes...

[SERIDJ]

hi @orakso @bbinet please in config what mean cert_pem in esp_mqtt_client_config_t its authority certificat ca.crt ?

i am using https://github.com/espressif/esp-idf/blob/master/examples/protocols/mqtt/ssl_mutual_auth/main/app_main.c and i dont know why i cant use ca.crt ? and do u have idea how to use use_global_ca_store ?

[orakso]

hi @orakso @bbinet please in config what mean cert_pem in esp_mqtt_client_config_t its authority certificat ca.crt ?

i am using https://github.com/espressif/esp-idf/blob/master/examples/protocols/mqtt/ssl_mutual_auth/main/app_main.c and i dont know why i cant use ca.crt ? and do u have idea how to use use_global_ca_store ?

I'm not sure whether I correctly understand your question. I think you have to use certificates in PEM format. You just need to extract PEMs from your keystore