thingsboard / tbmq

Open-source, scalable, and fault-tolerant MQTT broker able to handle 4M+ concurrent client connections, supporting at least 3M messages per second throughput per single cluster node with low latency delivery. The cluster mode supports more than 100M concurrently connected clients.
https://thingsboard.io/products/mqtt-broker/
Apache License 2.0
582 stars 49 forks source link

[Bug] #54

Closed DavidHill0809 closed 1 year ago

DavidHill0809 commented 1 year ago

Describe the bug Java error when using X.509 certificate based TLS authentication

Your Server Environment

Your Client Environment Ubuntu 22.04.2LTS, OpenSSL 3.0.2

No real device, just created certificates to authenticate on tbmq

$ mosquitto_pub -h dx-prod-mqtt1.nec.xon.co.za -p 8883 --cafile ./ca.crt --cert ./tbmq-cpa-gateway-0001.crt --key ./tbmq-cpa-gateway-0001.key -q 1 -t "tb/mqtt-integration-tutorial/sensors/SN-001/temperature" -m '{"value":25.1}' Error: A TLS error occurred.

$ openssl x509 -noout -subject -in tbmq-cpa-gateway-0001.crt subject=CN = tbmq-cpa-gateway-0001

To Reproduce I have created X.509 certificates for OpenVPN and MQTT TLS authentication. The certiifcates are working fine with OpenVPN but they give this error when connecting to tbmq. Google shows that the error, which is:

2023-07-21 12:13:32,325 [nioEventLoopGroup-5-7] WARN o.t.m.b.server.MqttSessionHandler - [c124bdc8-0600-47d1-976a-785fcf3f8358] Exception on SSL handshake. Reason - Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)

Is a JVM error and has been resolved in later versions of Java.

I have configured (in the tbmq docker compose file:

LISTENER_SSL_ENABLED: true LISTENER_SSL_PROTOCOL: TLSv1.2 LISTENER_SSL_CREDENTIALS_TYPE: PEM LISTENER_SSL_PEM_CERT: /data/ssl/dx-prod-tb-mqtt-vpn1.crt LISTENER_SSL_PEM_KEY: /data/ssl/dx-prod-tb-mqtt-vpn1.key SECURITY_MQTT_AUTH_STRATEGY: single SECURITY_MQTT_SSL_ENABLED: true

The docker log shows no error when loading the certificate and key listen in the configuration and the tbmq GUI shows TLS Listener enabled and X.509 certificate authentication enabled.

Steps to reproduce the behavior:

create certificates for server and client using OpenSSL/easy-rsa. Install the server certificates on tbmq and use mosquitto_pub to publish to port 8883.

dmytro-landiak commented 1 year ago

hi @DavidHill0809!

Thank you for reporting this. I will get back to you once I am able to reproduce the issue with the steps you did and will have the fix ready.

dmytro-landiak commented 1 year ago

hi @DavidHill0809,

Unfortunately, I was not able to reproduce the issue.

I have generated certificates using easy-rsa for both the server and client and used the same config in docker-compose file.

image image

Could you pls let me know what version of mosquitto cli you are using? Maybe the reason is there if you have an older version of mosquitto.

dlandiak@dlandiak:~$ mosquitto_sub --help mosquitto_sub is a simple mqtt client that will subscribe to a set of topics and print all messages it receives. mosquitto_sub version 2.0.15 running on libmosquitto 2.0.15.

dlandiak@dlandiak:~$ mosquitto_pub --help mosquitto_pub is a simple mqtt client that will publish a message on a single topic and exit. mosquitto_pub version 2.0.15 running on libmosquitto 2.0.15.

DavidHill0809 commented 1 year ago

Hi Dima,

@.***

I'm not sure how to proceed. I could give you access to the VM if it would help.

Regards, David

From: Dima Landiak @.> Sent: Tuesday, July 25, 2023 3:26 PM To: thingsboard/tbmq @.> Cc: David Hill @.>; Mention @.> Subject: Re: [thingsboard/tbmq] [Bug] (Issue #54)

You don't often get email from @.**@.>. Learn why this is importanthttps://aka.ms/LearnAboutSenderIdentification

Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know that the content is safe. Use the "Report Phishing" button if you suspect the email is suspicious.

hi @DavidHill0809https://github.com/DavidHill0809,

Unfortunately, I was not able to reproduce the issue.

I have generated certificates using easy-rsa for both the server and client and used the same config in docker-compose file.

[image]https://user-images.githubusercontent.com/10978307/255912033-fabd71bf-165a-491a-b044-aa46558c4af1.png [image]https://user-images.githubusercontent.com/10978307/255912072-d9a2c4c7-9a11-468e-9541-baee166102d9.png

Could you pls let me know what version of mosquitto cli you are using? Maybe the reason is there if you have an older version of mosquitto.

@.***:~$ mosquitto_sub --help mosquitto_sub is a simple mqtt client that will subscribe to a set of topics and print all messages it receives. mosquitto_sub version 2.0.15 running on libmosquitto 2.0.15.

@.***:~$ mosquitto_pub --help mosquitto_pub is a simple mqtt client that will publish a message on a single topic and exit. mosquitto_pub version 2.0.15 running on libmosquitto 2.0.15.

- Reply to this email directly, view it on GitHubhttps://github.com/thingsboard/tbmq/issues/54#issuecomment-1649844801, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AR3RMSCHFO64Z56CJ6LXBU3XR7COVANCNFSM6AAAAAA2SYUWHU. You are receiving this because you were mentioned.Message ID: @.**@.>>

dmytro-landiak commented 1 year ago

The solution David found:

"I think I have found the issue. mosquitto_sub -h [hostname] -p 8883 --cafile ca.crt --cert tbmq-cpa-gateway-0001.crt --key tbmq-cpa-gateway-0001.key -t "a/2/3" -d –insecure When I use –insecure then it connects. I need to rebuild my server certificate to match the hostname correctly."

Closing the issue as resolved.

@DavidHill0809, pls reopen in case of anything else you face regarding this topic.