SSL error when connecting to a mosquitto broker from another machine

Question

I try to connect to a mosquitto broker using secured ssl connection. To do so, I follow the following
tutorial

The mosquitto configuration file is:

tls_version tlsv1.2
pid_file /var/run/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/

log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
listener 1883

listener 8883
cafile /etc/mosquitto/certs2/ca.crt
certfile /etc/mosquitto/certs2/server.crt
keyfile /etc/mosquitto/certs2/server.key

I generate the ca file and server certificate with this script

As long as the client is on the same machine as the broker I do not get any problem to connect on port 8883 using the ca file.

mosquitto_sub -h localhost --cafile /etc/mosquitto/certs2/ca.crt  -t "test"  -p 8883 -v 

But when I try to connect from a client on another machine I get the following error:

1484748728: OpenSSL Error: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown

Also when I use the option insecure of mosquitto_pub/sub it works well.

--insecure

When using certificate based encryption, this option disables verification of the server hostname in the server certificate. This can be useful when testing initial server configurations but makes it possible for a malicious third party to impersonate your server through DNS spoofing, for example. Use this option in testing only. If you need to resort to using this option in a production environment, your setup is at fault and there is no point using encryption.

So, I was thinking that maybe the commonName on my server certificate is not good, but I check and it coresponds to the hostname I use to establish the connexion.

On both machine OpenSSL 1.0.2g is installed.

In order to have more precise information on what happen, I try to run ssldump, but I do not really know to interpret it

2 1  0.0292 (0.0292)  C>S  Handshake
      ClientHello
        Version 3.3 
        cipher suites
        Unknown value 0xc030
        Unknown value 0xc02c
        Unknown value 0xc028
        Unknown value 0xc024
        Unknown value 0xc014
        Unknown value 0xc00a
        Unknown value 0xa5
        Unknown value 0xa3
        Unknown value 0xa1
        Unknown value 0x9f
        Unknown value 0x6b
        Unknown value 0x6a
        Unknown value 0x69
        Unknown value 0x68
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA
        TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        TLS_DH_RSA_WITH_AES_256_CBC_SHA
        TLS_DH_DSS_WITH_AES_256_CBC_SHA
        Unknown value 0x88
        Unknown value 0x87
        Unknown value 0x86
        Unknown value 0x85
        Unknown value 0xc032
        Unknown value 0xc02e
        Unknown value 0xc02a
        Unknown value 0xc026
        Unknown value 0xc00f
        Unknown value 0xc005
        Unknown value 0x9d
        Unknown value 0x3d
        TLS_RSA_WITH_AES_256_CBC_SHA
        Unknown value 0x84
        Unknown value 0xc02f
        Unknown value 0xc02b
        Unknown value 0xc027
        Unknown value 0xc023
        Unknown value 0xc013
        Unknown value 0xc009
        Unknown value 0xa4
        Unknown value 0xa2
        Unknown value 0xa0
        Unknown value 0x9e
        TLS_DHE_DSS_WITH_NULL_SHA
        Unknown value 0x40
        Unknown value 0x3f
        Unknown value 0x3e
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        TLS_DH_RSA_WITH_AES_128_CBC_SHA
        TLS_DH_DSS_WITH_AES_128_CBC_SHA
        Unknown value 0x9a
        Unknown value 0x99
        Unknown value 0x98
        Unknown value 0x97
        Unknown value 0x45
        Unknown value 0x44
        Unknown value 0x43
        Unknown value 0x42
        Unknown value 0xc031
        Unknown value 0xc02d
        Unknown value 0xc029
        Unknown value 0xc025
        Unknown value 0xc00e
        Unknown value 0xc004
        Unknown value 0x9c
        Unknown value 0x3c
        TLS_RSA_WITH_AES_128_CBC_SHA
        Unknown value 0x96
        Unknown value 0x41
        Unknown value 0xc011
        Unknown value 0xc007
        Unknown value 0xc00c
        Unknown value 0xc002
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        Unknown value 0xc012
        Unknown value 0xc008
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc00d
        Unknown value 0xc003
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xff
        compression methods
                  NULL
2 2  0.0602 (0.0309)  S>C  Handshake
      ServerHello
        Version 3.3 
        session_id[0]=

        cipherSuite         Unknown value 0xc030
        compressionMethod                   NULL
2 3  0.0614 (0.0012)  S>C  Handshake
      Certificate
2 4  0.0614 (0.0000)  S>C  Handshake
      ServerKeyExchange
2 5  0.0614 (0.0000)  S>C  Handshake
      ServerHelloDone
2 6  0.0629 (0.0014)  C>S  Alert
    level           fatal
    value           certificate_unknown
2    0.0644 (0.0015)  C>S  TCP RST

It seems strange to me that there is just unknownvalue on the cipherSuite of the server hello, but ssl/tls is a totally new topic for me...

Do you have some idea on what could create this problem or on how to debug it?

I will be very glad if you could give me some suggestion.

Answer 1

This question would have been better asked on iot.stackexchange.com.

But when I try to connect from a client on another machine I get the following error:

If you're running mosquitto_sub -h localhost on a different machine, then you're not connecting to the remote machine any more. If you've modified the hostname correctly on the remote host then have you also copied over the correct CA file?