philipparndt
commented
2 years ago Thanks for letting me know. What connection type did you use? MQTTS or WSS?
Closed edgauthier closed 2 years ago
philipparndt
commented
2 years ago Thanks for letting me know. What connection type did you use? MQTTS or WSS?
edgauthier
commented
2 years ago MQTTS - that's what I use nearly all the time.
philipparndt
commented
2 years ago It seems the MQTTS implementation should use Apples network framework, instead of CocoaAsyncSocket. With this, all the TLS stuff is handled by Apple and should be probably tested and up-to-date.
edgauthier
commented
2 years ago Regarding mismatched hostname with certificate and the latest test flight build: MQTTAnalyzer no longer connects (good) but rather than returning an error that the user can understand/act on, it just sits in a "connecting" state (not so good).
Not sure if this is an area you're still cleaning up or not.
philipparndt
commented
2 years ago Error handling is still ongoing. I still have to read more of the Apple Network framework docu on how to do this with their API
philipparndt
commented
2 years ago Hi @edgauthier I uploaded another version. Can you do another testing round with this ticket and your Traefik configuration. This is a much smaller patch. Eventually, I like to go for the patch I committed yesterday but this is a good candidate for an intermediate solution.
The build number is b120
edgauthier
commented
2 years ago This works for me same as yesterdays update in both scenarios.
philipparndt
commented
2 years ago I've uploaded a new version to TestFlight (2.6.0) can you do a test with this? This is using Apple network again but with improved error handling.
edgauthier
commented
2 years ago This is what I get with a hostname that doesn't match the certificate. I wouldn't have guessed this was due to the cert name not matching the hostname.
If I change the host name to match the cert, it connects just fine.
philipparndt
commented
2 years ago Thanks for the test.
You are right, the message is really not intuitive and very generic. When getting this message I would first have a look at e.g. the certificate encoding and then inspect the certificate values. I think as this message is very generic, there is not much that I can do here.
edgauthier
commented
2 years ago True - it at least points the user at the certificate, which is better than before. Thanks for the improvement.
While testing another issue, I was generating certificates and ran into a rate limit, which required me to generate a new certificate under a separate domain. My original certificates were for mqtt.example.com. I generated a new certificate for mqtt-certbot.example.com. I went back to MQTTAnalyzer to try and test the new cert, and observed that without changing the configuration in MQTTAnalyzer, it connected automatically. That is, MQTTAnalyzer was configured to connect to mqtt.example.com, while the server was using a certificate for mqtt-certbot.example.com, and MQTTAnalyze didn't complain about an invalid cert due to the hostname not matching the server provided cert.
In contrast, when trying to connect with MQTT-Explorer, I was correctly given an error that the hostname didn't match the certificate, and it wouldn't connect until I changed the hostname I was connecting to so that it matched what was in the certificate.