使用mqtts的时候,连接提示错误:

mosquitto_sub -L mqtts://124.71.233.xx:8883/ -t "command///req/#" --cert cert.pem --key key.pem --cafile ../trusted-certs.pem -q 1

Unable to connect (A TLS error occurred.).

加上调试信息打印

mosquitto_sub -L mqtts://124.71.233.xx:8883/ -t "command///req/#" --cert cert.pem --key key.pem --cafile ../trusted-certs.pem -q 1 -d

Error: Unable to load client certificate "cert.pem".
OpenSSL Error[0]: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
Unable to connect (A TLS error occurred.).

查看openssl软件版本
openssl
OpenSSL> version
OpenSSL 1.1.1f 31 Mar 2020
OpenSSL> quit

使用openssl s_client 测试

openssl s_client -connect 124.71.233.xx:8883 -cert cert.pem -key key.pem -CAfile ../trusted-certs.pem -showcerts

error setting certificate
140341384697152:error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak:../ssl/ssl_rsa.c:310:
出现同样的错误。

查看证书信息

openssl x509 -text -in cert.pem

Signature Algorithm: sha1WithRSAEncryption

众所周知,sha1算法很弱且已过时。应该就是这个原因了。
解决办法:

openssl s_client -cipher @SECLEVEL=0:ALL -connect 124.71.233.xx:8883 -cert cert.pem -key key.pem -CAfile ../trusted-certs.pem -showcerts

要确认就是sha1的问题,只需要这样就可以

openssl s_client -cipher @SECLEVEL=0:SHA1 -connect 124.71.233.62:8883 -cert cert.pem -key key.pem -CAfile ../trusted-certs.pem -showcerts

mqtt在编译openssl的时候,使用DOPENSSL_TLS_SECURITY_LEVEL=0就可以了。

还有一个修改配置文件的方法,
修改/etc/ssl/openssl.cnf文件
在文件开头加上

openssl_conf = default_conf

在文件结尾加上

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = ssl_default_sect

[ssl_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=0

验证测试:

openssl s_client  -connect 124.71.233.62:8883 -cert cert.pem -key key.pem -CAfile ../trusted-certs.pem -showcerts

CONNECTED(00000003)
...
verify return:1
这个方法来源于:https://askubuntu.com/questions/1231799/certificate-error-after-upgrade-to-20-04
原文:

I found a solution, according to the accepted answer of this question:
Ubuntu 20.04 - how to set lower SSL security level?

In particular, the openSSL configuration file /etc/ssl/openssl.cnf
shall be modified in the following way.

At the beginning, add openssl_conf = default_conf

At the end, add

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = ssl_default_sect

[ssl_default_sect] MinProtocol = TLSv1.2 CipherString =
DEFAULT:@SECLEVEL=0 After this modification, the certificate is
recognized without security errors.

https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_security_level.html

WARNING at this time setting the security level higher than 1 for
general internet use is likely to cause considerable interoperability
issues and is not recommended. This is because the SHA1 algorithm is
very widely used in certificates and will be rejected at levels higher
than 1 because it only offers 80 bits of security.

The default security level can be configured when OpenSSL is compiled
by setting -DOPENSSL_TLS_SECURITY_LEVEL=level. If not set then 1 is
used.

https://github.com/drwetter/testssl.sh/issues/1433

OpenSSL 1.1.0 introduced the ability to specify a security level:
https://github.com/openssl/openssl/blob/master/doc/man3/SSL_CTX_set_security_level.pod.
By default the security level is set to 1 unless a compile-time option
is used to set the default a different value. The security level may
also be set by the command line, e.g.,

openssl s_client -cipher @SECLEVEL=0:ALL -connect 127.0.0.1:443 At the
moment, testssl.sh does not use the @SECLEVEL=n directive, but we may
want to look into using s_client_options() to add it in some
circumstances.

Certificate error while pushing no… | Apple Developer Forums
We did a temporary fix by setting lower SSL security level.

In particular, the openSSL configuration file /etc/ssl/openssl.cnf shall be modified in the following way.
At the beginning, add openssl_conf = default_conf
At the end, add
Code Block 
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = ssl_default_sect
[ssl_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=0

After this modification, the certificate is recognized without security errors.

Referenced from: itectec.com/ubuntu/ubuntu-certificate-error-after-upgrade-to-20-04

使用mosquitto订阅消息的时候,出现host name verification failed错误。

mosquitto_sub -L mqtts://124.71.233.xx:8883/ -t topic --cert cert.pem --key key.pem --cafile ../trusted-certs.pem -q 1 -d 

Client (null) sending CONNECT
Error: host name verification failed.
OpenSSL Error[0]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Error: A TLS error occurred.

使用openssl s_client验证tls本身没有问题,问题应该出在mqtt的处理上面。

查看mosquitto 的源码。
在mosquitto-2.0.11/lib/tls_mosq.c中,看到如下实现。

if(mosq->tls_insecure == false
#ifndef WITH_BROKER
                        && mosq->port != 0 /* no hostname checking for unix sockets */
#endif
)
...
return preverify_ok;
}

直接设置mosq->tls_insecure为true就不进行这个判断了。
修改后如下:

mosquitto_sub -L mqtts://124.71.233.xx:8883/ -t topic --cert cert.pem --key key.pem --cafile ../trusted-certs.pem -q 1 -d --insecure