mosquitto 错误 ssl3_read_bytes:tlsv1 alert internal error解决办法
服务器端要求双向验证
mosquitto -c etc/mosquitto.conf
使用sub订阅时出现错误
mosquitto_sub -L "mqtts://localhost:8883/const.net.cn" --cafile ca.crt -d
Client (null) sending CONNECT
Error: host name verification failed.
OpenSSL Error[0]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Error: A TLS error occurred.
在服务器端看到标题所示提示信息
1626420060: New connection from 127.0.0.1:37766 on port 8883.
1626420060: OpenSSL Error[0]: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
1626420060: Client <unknown> disconnected: Protocol error.
1626420068: New connection from 127.0.0.1:37768 on port 8883.
1626420068: OpenSSL Error[0]: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
1626420068: Client <unknown> disconnected: Protocol error.
修改sub订阅中,加上--insecure,错误信息就变了
mosquitto_sub -L "mqtts://localhost:8883/const.net.cn" --cafile ca.crt -d --insecure
Client (null) sending CONNECT
OpenSSL Error[0]: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required
Error: The connection was lost.
服务器端日志
1626420113: New connection from 127.0.0.1:37770 on port 8883.
1626420113: OpenSSL Error[0]: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate
1626420113: Client <unknown> disconnected: Protocol error.
这个是提示没有提供客户端的证书,因为服务器采取的双向认证嘛。
加上客户端证书与密钥的命令
mosquitto_sub -L "mqtts://localhost:8883/const.net.cn" --cafile ca.crt --key client.key --cert client.crt -d --insecure
Client (null) sending CONNECT
Client (null) received CONNACK (0)
Client (null) sending SUBSCRIBE (Mid: 1, Topic: const.net.cn, QoS: 0, Options: 0x00)
Client (null) received SUBACK
Subscribed (mid: 1): 0
完美解决问题。
https://snowyang.com/2020/12/11/Network/MQTT/mosquitto/也有提到这个问题。作者还推荐了一个单片机的实现mqtts的方案(mbedtls+lwip+mqtt)
https://mcuoneclipse.com/2017/04/23/tuturial-mbedtls-sll-certificate-verification-with-mosquitto-lwip-and-mqtt/
最后给上参数说明
--insecure : do not check that the server certificate hostname matches the remote
hostname. Using this option means that you cannot be sure that the
remote host is the server you wish to connect to and so is insecure.
Do not use this option in a production environment.