mqttwarn icon indicating copy to clipboard operation
mqttwarn copied to clipboard

Published 20 hours ago verified publisher icon mqtt-tools

TLS issues with mosquitto-2.0.18

Open tka85 opened this issue 1 year ago • 6 comments

I have seen this issue but setting the value of tls_version in mqttwarn.ini, doesn't solve it.

Both mosquitto and mqttwarn are in single docker-compose.yaml. Using mqttwarn-full:latest image.

For both ini values tls_version = 'tlsv1_1' and tls_version = 'tlsv1_2', the compose logs are the same:

mosquitto  | 2024-02-08T13:35:14: mosquitto version 2.0.18 running
mqttwarn   | 2024-02-08 13:35:15,659 INFO     [mqttwarn.commands         ] Starting mqttwarn
mqttwarn   | 2024-02-08 13:35:15,660 INFO     [mqttwarn.commands         ] Log level is DEBUG
mqttwarn   | 2024-02-08 13:35:15,660 DEBUG    [mqttwarn.core             ] Trying to load built-in service "file" from "file"
mqttwarn   | 2024-02-08 13:35:15,664 DEBUG    [mqttwarn.core             ] Trying to load service "file" from file "/usr/local/lib/python3.11/site-packages/mqttwarn/services/file.py"
mqttwarn   | 2024-02-08 13:35:15,665 INFO     [mqttwarn.core             ] Successfully loaded service "file"
mqttwarn   | 2024-02-08 13:35:15,666 DEBUG    [mqttwarn.core             ] Trying to load built-in service "log" from "log"
mqttwarn   | 2024-02-08 13:35:15,666 DEBUG    [mqttwarn.core             ] Trying to load service "log" from file "/usr/local/lib/python3.11/site-packages/mqttwarn/services/log.py"
mqttwarn   | 2024-02-08 13:35:15,667 INFO     [mqttwarn.core             ] Successfully loaded service "log"
mqttwarn   | 2024-02-08 13:35:15,668 DEBUG    [mqttwarn.core             ] Attempting connection to MQTT broker mosquitto:30123
mqttwarn   | 2024-02-08 13:35:15,669 DEBUG    [mqttwarn.core             ] Setting LWT to /lwt/mqttwarn-mosquitto
mosquitto  | 2024-02-08T13:35:15: Client connection from 172.25.0.3 failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version.
mqttwarn   | 2024-02-08 13:35:15,678 INFO     [mqttwarn.core             ] Publishing status information to mqttwarn/$SYS
mqttwarn   | 2024-02-08 13:35:15,680 WARNING  [mqttwarn.core             ] b'Broker connection lost. Will attempt to reconnect in 5s'
mqttwarn   | 2024-02-08 13:35:15,680 DEBUG    [mqttwarn.core             ] Decoding JSON failed: Expecting value: line 1 column 1 (char 0). payload=Broker connection lost. Will attempt to reconnect in 5s
mqttwarn   | 2024-02-08 13:35:15,681 DEBUG    [mqttwarn.core             ] Message on brokerdisconnected going to log:error
mqttwarn   | 2024-02-08 13:35:15,681 DEBUG    [mqttwarn.core             ] New `log:error' job: brokerdisconnected
mqttwarn   | 2024-02-08 13:35:15,682 DEBUG    [mqttwarn.core             ] Message on brokerdisconnected going to file:mqttwarn
mqttwarn   | 2024-02-08 13:35:15,682 DEBUG    [mqttwarn.core             ] New `file:mqttwarn' job: brokerdisconnected

The mosquitto.conf is:

allow_anonymous false
password_file /mosquitto/config/mosquitto.passwd

persistence true
persistence_location /mosquitto/data

# MQTT over TLS
listener 30123 0.0.0.0
protocol mqtt
certfile /mosquitto/certs/fullchain.pem
keyfile /mosquitto/certs/privkey.pem

# MQTT over websocket with TLS
listener 30124 0.0.0.0
protocol websockets
certfile /mosquitto/certs/fullchain.pem
keyfile /mosquitto/certs/privkey.pem

Also makes no difference if in mqttwarn.ini the value of protocol is 3 or 4.

What am I missing? Should I downgrade to pre-2 mosquitto?

tka85 avatar Feb 08 '24 13:02 tka85

Dear @tka85,

thanks a stack for reporting this flaw. You might have discovered a bug, which should be addressed properly.

To confirm: This is the error you are observing, regardless how you adjust the value of the tls_version setting in mqttwarn.ini?

error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version.

With kind regards, Andreas.

amotl avatar Mar 27 '24 23:03 amotl

That is correct.

tka85 avatar Mar 28 '24 14:03 tka85

The relevant code is that:

https://github.com/mqtt-tools/mqttwarn/blob/9d61fc59bca6cbee88d6b46f00de4076764cd0b0/mqttwarn/core.py#L661-L673

Can you try to edit it on your local installation, and report back how it goes when using tls_version=None instead, for example? Or isn't that possible, because you might be running mqttwarn as a container through Docker, Podman, Kubernetes, or friends?

NB: Ramping up a TLS-based environment takes a bit of effort, because the test sandbox of mqttwarn doesn't have it, yet. That's why we try to offload as much debugging matters on this topic as possible to your end, ;] and ask for your understanding about it. That being said, it would certainly be helpful to actually have a TLS-based integration test scenario. However, that will need corresponding enhancements to pytest-mqtt beforehand.

amotl avatar Mar 28 '24 23:03 amotl

Yes, it's not possible. As mentioned initially, all is running as docker containers. And also since that was some time ago, we opted to use another broker. Mosquitto project was non-responsive and could not risk using a broker without any support (OS or otherwise).

tka85 avatar Mar 29 '24 10:03 tka85

Ah okay. What are you exactly referring to like "it's not possible"? You mean this isn't related to mqttwarn at all, and you can't connect to Mosquitto using TLS by any other means as well?

Or did you edit the code, as suggested, and it still isn't working? By chance, did you try to toggle tls_insecure, to remedy any eventual host name validation issues?

amotl avatar Mar 29 '24 13:03 amotl

Or isn't that possible, because you might be running mqttwarn as a container through Docker, Podman, Kubernetes, or friends?

Yes, it's not possible.

Ah, right. Thanks!

amotl avatar Mar 29 '24 14:03 amotl