Secured SSL connection with Mosquitto Broker

Question

I'm trying to make a SSL connection with Mosquitto MQTT Broker on Windows. http://mosquitto.org/man/mosquitto-tls-7.html is the url I used to create certificates and keys:

CA: ca.key ca.crt

Server: server.key server.crt

Client: client.key client .crt

Then I edited mosquitto.conf

cafile TestSSL/ca.crt
certfile TestSSL/server.crt
keyfile TestSSL/server.key
require_certificate true
use_identity_as_username true

After this Started MQTT Mosquitto Broker:

C:\Program Files (x86)\mosquitto>mosquitto.exe -c mosquitto.conf -p 8883 -v
1451296913: mosquitto version 1.4.5 (build date 09/11/2015 14:34:52.97) starting

1451296913: Config loaded from mosquitto.conf.
1451296913: Opening ipv6 listen socket on port 8883.
1451296913: Opening ipv4 listen socket on port 8883.

Tried to subscribe with Broker:

mosquitto_sub.exe --cafile TestSSL/ca.crt --cert TestSSL/server.crt --key TestSSL/client.key -h 192.168.0.6 -p 8883 -t "TestSSL" -i "TestSSL_1234567890" -d -v

I see below error at Broker

1451297037: OpenSSL Error: error:140780E5:SSL routines:ssl23_read:ssl
handshake failure 1451297037: Socket error on client <unknown>,
disconnecting.

Answer 1

You should be using the client.crt with mosquitto_pub not the server.crt

mosquitto_sub.exe --cafile TestSSL/ca.crt --cert TestSSL/client.crt
--key TestSSL/client.key -h 192.168.0.6 -p 8883 -t "TestSSL" -i "TestSSL_1234567890" -d -v

Answer 2

For 2 way ssl, you should pack client certificate and client key into a keystore. for instance pack into a p12 file using openssl.