TLS connection doesn't work - SSLPeerUnverifiedException

[mwildbolz]

Since the last updates (also with Beta2) I'm not able to connect via TLS to my mosquitto broker any more. Owntracks just says "TLS Error: MqttException", owntracks log:

2024-04-27 23:48:47.130 I [DefaultDispatcher-worker-4] MQTTReconnectWorker: MQTT reconnect worker job started
2024-04-27 23:48:47.241 I [DefaultDispatcher-worker-4] MQTTMessageProcessorEndpoint$connectToBroker: Connecting to ssl://xxyy.ddns.net:8884?# timeout = 30s
2024-04-27 23:48:47.536 E [DefaultDispatcher-worker-4] MQTTMessageProcessorEndpoint$connectToBroker: MQTT client unable to connect to endpoint
MqttException (0) - javax.net.ssl.SSLPeerUnverifiedException: Host: xxyy.ddns.net, Peer Host: xxyy.ddns.net
    at androidx.work.impl.utils.WorkForegroundUpdater$1.run(SourceFile:315)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:487)
    at java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:307)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
    at java.lang.Thread.run(Thread.java:1012)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host: xxyy.ddns.net, Peer Host: xxyy.ddns.net
    at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(Unknown Source:143)
    at androidx.work.impl.utils.WorkForegroundUpdater$1.run(SourceFile:75)
    ... 6 more

2024-04-27 23:48:47.536 I [DefaultDispatcher-worker-4] MQTTReconnectWorker: MQTT reconnect worker job completed, status Retry

On the broker side I see the following log entry:

1714254527: New connection from 212.197.138.213:47906 on port 8883.
1714254527: Client <unknown> closed its connection.

Certificates were generated using instructions from this site TLS connection to the broker in principle works - mosquitto_sub, paho (python) mqtt client and also MQTT-Explorer are able to connect using the installed CA certificate (with validation turned on).

I don't have an idea where to look further. Debug Log switched on on owntracks side does not bring more information. Debug logging on broker side is also not more verbose during the connection attempt. CA certificate is installed inside Android

• App build number: 2.5.0 (420500002)
• Android version: 14
• Device: Samsung Galaxy A34
• Installation source: Google Play

[growse]

Did you install the CA certificate in the device CA cert store?

[mwildbolz]

Yes, I did. I also tried with another certificate and there the error was clearly a not accepted certificate.

[growse]

Can you either post or mail us your CA cert and endpoint so i can test?

[jpmens]

@mwildbolz our email address is support@owntracks.org

[mwildbolz]

@mwildbolz our email address is support@owntracks.org

Mail sent - thanks in advance!

[growse]

Got it.

The certificate presented by your endpoint is missing a X509v3 Subject Alternative Name, or SAN. OT (and the rest of the modern web) doesn't validate names against CN any more - your hostname that you want to connect to needs to be present as a SAN field. Example from https://owntracks.org cert:

$ openssl x509 -in owntracks.org.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
...
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                58:C9:B2:AA:68:E6:A5:48:CC:D8:2B:E8:42:B2:BF:7F:BE:45:66:68
            X509v3 Authority Key Identifier:
                14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/
            X509v3 Subject Alternative Name:
                DNS:owntracks.org
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1

Suggest you use a tool like mkcert for generating modern self-signed CA certs, or delegate it to a real CA like Letsencrypt.

[mwildbolz]

Thanks, sounds promising. I already tried adding the SAN information into the certificate before, but maybe there was an error doing this with my openssl commands. I'll give a short notice after trying again!

Just one thing to mention: Would be fine, if one could get this information out of the logs (at least in DEBUG mode), maybe there is a way to implement logging in this area.

Thanks a lot!

[mwildbolz]

Working now - was a problem with my commands for generating the certificates using the SAN information. Thanks a lot!