Open cinadr opened 3 years ago
Dear Zsolt,
thank you for this report. I wanted to let you know that there already has been a sweet conversation with @ralight about this issue at https://github.com/hiveeyes/terkin-datalogger/pull/97. He was very kind to point out the problem with MicroPython's umqtt
module as well.
TLDR; Mosquitto 2.0.12 has both become more strict wrt. protocol compliance, and now also honors the max_keepalive
option for MQTT v3.x connections, in order to improve the situation with CVE-2020-13849. This is the corresponding quote from the changelog of Mosquitto 2.0.12:
Fix
max_keepalive
not applying to MQTT v3.1.1 and v3.1 connections. These clients are now rejected if their keepalive value exceedsmax_keepalive
. This option allows CVE-2020-13849, which is for the MQTT v3.1.1 protocol itself rather than an implementation, to be addressed. [1]
Regarding this conversation, I would like to thank Roger very much for his insights and his prompt response.
With kind regards, Andreas.
[1] https://mosquitto.org/blog/2021/08/version-2-0-12-released/
At https://github.com/hiveeyes/terkin-datalogger/pull/97#issuecomment-915872291, I've referenced two patches to outline how to mitigate the problem by setting a keepalive value other than zero on the client side.
Dear Andreas,
Thank you for the update. I've already been following the conversation and it is very good to see how prompt you all react to and solve the problem.
Regards, Zsolt.
Dear @ralight,
at https://github.com/hiveeyes/terkin-datalogger/pull/97#issuecomment-916003229, you confirmed that using 60 seconds as a default keepalive time is reasonable. However, umqtt.simple
probably does not provide a reconnect mechanism, so the application would be responsible.
So, I am asking if you nevertheless think that I should submit a corresponding patch to the MicroPython standard library to use 60 seconds here, similar to https://github.com/daq-tools/umqtt-example/pull/1?
I've also pushed a commit to mosquitto to allow
max_keepalive
to be set to 0: https://github.com/eclipse/mosquitto/commit/d942ed7eec1619bc60d3997fecddb85b2fecaa37
I will also reuse this section from Mosquitto's documentation to make users of umqtt.simple
aware of this detail when submitting a corresponding patch.
With kind regards, Andreas.
I haven't looked at umqtt in detail, so the answer is - it depends. If the library handles keepalive and sending PINGREQ itself, then changing the default keepalive to 60 seconds is a good idea. If the library does not handle sending PINGREQs, then if you change the default value you will get some confused users at 90 seconds (60*1.5) after they deploy the new code. My guess is that the latter situation is probably true. I'm not sure what the best thing to do would be.
Simple assign some time for keep alive argument... eg-> from umqtt.simple import MQTTClient client = MQTTClient("client_id", "192.168.0.xxx", port=1883, user=None, password=None, keepalive=30, ssl=False, ssl_params={}) client.on_connect = on_connect_function client.connect()
Can this issue be reproduced in the latest versions of this module?
Hi!
umqtt.simple fails to connect to mosquito 2.0.12. It throws back MQTTException: 2. Meanwhile mosquitto log says: 'Bad socket read/write on client. Invalid arguments provided.'
This is reproducible with micropython 16 and 17 both in an application and in REPL.
This is not a problem with mosquitto 2.0.11.
All other mqtt clients are working correctly with 2.0.12 (openhab, zwave2mqtt, zigbee2mqtt, etc.). So I assume this is a problem with this library. I rolled back to 2.0.11.
Thank you in advance:
Zsolt Zimmermann
The changelog of mosquitto: