mosquitto icon indicating copy to clipboard operation
mosquitto copied to clipboard

Published 20 hours ago verified publisher icon eclipse

All connections rejected if crlfile is used

Open FirstWithThisName opened this issue 3 years ago • 3 comments

I am using the latest (2.0.14) mosquitto version on debian 11.

I am using certificates for authentication and want to include a crl file.
This is my config /etc/mosquitto/conf.d/my.conf:

per_listener_settings true

listener 8883
bind_address 0.0.0.0
#bind_port = 8883
allow_anonymous false

cafile /etc/mosquitto/ca_certificates/ca.cert
keyfile /etc/mosquitto/certs/mqtt-server.key
certfile /etc/mosquitto/certs/mqtt-server.crt
require_certificate true
use_subject_as_username true

crlfile /etc/mosquitto/my-crlfile

When I try to send a message to the server I get this error.
Client OpenSSL Error[0]: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Server OpenSSL Error[0]: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

When I remove the crlfile line from the config everthing works fine.

This is the content of /etc/mosquitto/my-crlfile

-----BEGIN X509 CRL-----
MIIDPjCCASYCAQEwDQYJKoZIhvcNAQELBQAwVzEOMAwGA1UEChMFTXlPcmcxDzAN
BgNVBAcTBlZpZW5uYTEPMA0GA1UECBMGVmllbm5hMQswCQYDVQQGEwJBVDEWMBQG
A1UEAxMNTXlPcmcgUm9vdCBDQRcNMjIwNzIyMTAxMDU3WhcNMjIwNzIzMTAxMDU3
WqCBmjCBlzCBlAYDVR0jBIGMMIGJgBSiMiQ26pLZIWDqD3cCWCr82RWSx6FbpFkw
VzEWMBQGA1UEAwwNTXlPcmcgUm9vdCBDQTELMAkGA1UEBhMCQVQxDzANBgNVBAgM
BlZpZW5uYTEPMA0GA1UEBwwGVmllbm5hMQ4wDAYDVQQKDAVNeU9yZ4IUerRHIXQ7
sz+ayrjVYb4o7kxhnA4wDQYJKoZIhvcNAQELBQADggIBAHkRs0zgBc1XBUV2F+uC
MW2Y8dlVGq+rOuoyT+i8hCrnK5M4WdwB5Nks20Ytr+qFAqdeJCoz5HXZSly3Xn+C
x0q65Z4qOat4ivMakG3ha3jDwsdWo+av405XBsGcoT55ZWfStiF5HcwHqZoPfTYv
BhWLEJfobLwzmI4vgSabJVwdhMJGrtRBi2pErYarq3q+8tEJDuGKJ1w3SgrqgcF2
1ZzDcE1CpO/LWRTXdR08ggRRviAIOJhYrxusf4sPDpOVOx9HvtzN0TotLic3ldQG
z8027pddwiUWn96sgJd8F28DrHD6Lp+SClIEXlzGdVuk0YyUc9pf8H+esZfMa8B3
dMws6s3eB6M9mZr13iLrzpkGjPP/StoGGT5rbp7xrLdynYfcsvCdbUeOV4AbG6UE
FIVo0OKXrS50fIxy7B/MbMIljjCzAVM3OWdwJ7YZv+ympH50/RookrT51HvKOT5l
hEwQovivfiKL0ts/X//wE0sF5TIsefp1Uavr1BQIepePRN85NeKW3Muo43zpdJzS
d6btBkQmdyXMhqaO6VjJBE6ov0hKfgBq+egPvxCx9IoFNIHdJBfm47lP7mzqMdbr
5QATcTQ95XdwEwPG0DYxn0hSfkMlQd/H6AVJSYSNOFP7+4Y5NYQO9SiveHu1MQge
ozOMF1cdGCZxmprVmQ+wV5bm
-----END X509 CRL-----

It does not contain any certificates so far, adding on ends up with the same result.

FirstWithThisName avatar Jul 22 '22 10:07 FirstWithThisName

Checking via openssl commandline:

openssl verify -CRLfile ../MyOrg.crl -CAfile ../MyOrg-RootCA.crt -verbose my.cert

my.cert: OK

FirstWithThisName avatar Jul 26 '22 10:07 FirstWithThisName

Thanks for the report. I haven't been able to reproduce this so far (on Ubuntu 22.04) - I'll see about trying it on Debian 11.

ralight avatar Aug 06 '22 21:08 ralight