Closed AkhileshThorat closed 4 years ago
Hi @AkhileshThorat
I assume you are talking about ssl_mutual_auth
example where not only client verifies the server, but also server has to verify the client (and therefore you need client certificate)?
You have to generate client key and client CSR (not crt) with openssl, then send your csr to CA, which would generate a certificate based on your request.
The example code uses test.mosquitto.org
when you can get the certificate generated online. Please follow the steps described in https://github.com/espressif/esp-idf/blob/master/examples/protocols/mqtt/ssl_mutual_auth/README.md
Hi @david-cermak
I performed the following activities after reading the instructions given in Readme file 1=Generated a client key and CSR (not crt) using open ssl utility 2=copied the content of .csr file and pasted it to certificate generating utility at test.mosquitto.org 3=saved the .crt file and pasted it to main directory along with client key 4=I'm still doubtful about the whole process since I'm stuck
OUTPUT:MQTT event disconnected
logs: E (343992) esp-tls: mbedtls_ssl_handshake returned -0x4080(I tried searching the error code for it's explanation,but found nothing) E (273892) esp-tls: Failed to open new connection E (273892) TRANS_SSL: Failed to open a new connection E (273892) MQTT_CLIENT: Error transport connect I (273902) MQTTS_EXAMPLE: MQTT_EVENT_DISCONNECTED
@AkhileshThorat mbedTLS -0x4080 https://tls.mbed.org/api/rsa_8h.html#abf2997e01281b898fd4594af0b7bfbb4
@chegewara I managed to find following function corresponding to error code 0x4080 at rsa.h file located inside mbedtls
int mbedtls_rsa_import_raw( mbedtls_rsa_context ctx, unsigned char const N, size_t N_len, unsigned char const P, size_t P_len, unsigned char const Q, size_t Q_len, unsigned char const D, size_t D_len, unsigned char const E, size_t E_len );
/**
How do I proceed further with this information?
Hi @AkhileshThorat ,
I've just checked the test.mosquitto.org client cert generator and it looks like it returns a zero file. Does your client.crt look like a certificate?
-----BEGIN CERTIFICATE-----
...base64 data...
-----END CERTIFICATE-----
My guess is that it does not and that would also explain the above error of MBEDTLS_ERR_RSA_BAD_INPUT_DATA
.
We have already received some other similar issues related to the test.mosquitto.org broker, which runs experimental come and might not be always good as a stable example for using esp-mqtt client.
Have just checked with local mosquitto and mutual authentication works as expected on my side. I think it would be good to update the README with some config hint of a local server, so that anyone can configure a stable broker to test the client with.
I would recommend to setup a local mosquitto with the following configuration:
port 8883
# "openssl rehash <path to capath>" each time you add/remove a certificate.
cafile /home/david/certs/ca.crt
# Path to the PEM encoded server certificate.
certfile /home/david/ssl/certs/server.crt
# Path to the PEM encoded keyfile.
keyfile /home/david/certs/server.key
require_certificate true
use_identity_as_username true
Hi @AkhileshThorat
Any update? Were you able to resolve the issue by connecting to a different public broker or a local one?
@AkhileshThorat Thanks for reporting the issue. Would you help share if any updates for the issue? Thanks.
Hi @david-cermak and @Alvin1Zhang Sorry for the delay.Lately I'm running into basic issues like not able to generate a .CSR file. I'm looking into this matter and will update you soon
@AkhileshThorat Thanks for reporting, would you please help share if any updates for the issue? Thanks.
@AkhileshThorat Thanks for reporting, would you please help share if any updates for the issue? Thanks.
Thanks for reporting, will close due to short of feedback, feel free to reopen with more updates or file a new ticket for new issue. Thanks.
Environment
git describe --tags
to find it): 3.3-dev-301-gadd7c49a2xtensa-esp32-elf-gcc --version
to find it): // -ng-1.22.0-80-g6c4433a5)Problem Description
Used openssl utility to generate client.key and client.crt for the example code. On opening client.crt it shows following message"the integrity of the certificate cannot be guaranteed.The certificate maybe corrupted or altered" Is there any additional step i need to do to install certificate or something is missing? How do i validate or digitally sign the certificate?
I get following logs on monitor
Debug Logs
I (4724) MQTTS_EXAMPLE: [APP] Free memory: 235796 bytes I (4724) system_api: Base MAC address is not set, read default base MAC address from BLK0 of EFUSE E (5934) esp-tls: mbedtls_ssl_handshake returned -0x4080 E (5934) esp-tls: Failed to open new connection E (5934) TRANS_SSL: Failed to open a new connection E (5934) MQTT_CLIENT: Error transport connect I (5944) MQTT_CLIENT: Reconnect after 10000 ms I (5944) MQTTS_EXAMPLE: MQTT_EVENT_DISCONNECTED
Other items if possible
build
folder (note this may contain all the code details and symbols of your project.)