Client authentiction via client certificate seems to use SSL instead of TLS

[nduhme]

Expected behavior

• If the mqtt broker enforces TLS with client authentication via client certificates (two-way-handshake) and mqtt cli is connected with tls version specified as TLSv1.2 then the normal two-way-handshake should start with a TLSv1.2 "Client Hello" message
• Client should be able to connect

Actual behavior

• The communication starts with a SSL "Continuation Data" message
• Server responds with "Client connection failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number.", client is not able to connect

To Reproduce

Steps

1. Set up system: mqtt broker set to enforce TLS with client authentication via client certificate and provide certificates to broker and client that should enable client to connect
2. try to connect to broker using the command " con -se 100000 -i listener01 -p 8883 --cafile ca.crt --cert client.crt --key client.key --tls-version TLSv1.2"

Reproducer code

Details

• Affected MQTT CLI version(s): 1.2.0
• Used JVM version: 1.8.0_261 (Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.261-b12)
• OS: Windows 10 10.0 amd64

Some more Details: I have a moqsuitto broker that enforces TLS with client authentication via client certificates. I created some simple self-signed certificates and tested the correct setup of this system with another mqtt client (MQTT.fx) and everything worked as exepcted - a connection is only possible when the correct client certificate is used. I then tried the same thing with mqtt-cli and was unable to connect. I got the error code 1408F10B from the broker. When i removed some restrictions from the broker and enforced TLS but did not enforce client authentication via client certifcate i was able to connect from mqtt-cli to the broker. I used Wireshark to get some details on what happens while the client tries to connect and did the following tests:

1) Using mqqt client MQTT.fx - Client successful connection with client certificate

No | Time | Source | Destination | Protocol | Length | Info 1 | 0.000000 | 127.0.0.1 | 127.0.0.1 | TCP | 108 | 53393 → 8883 [SYN] Seq=0 Win=65535 Len=0 MSS=65495 WS=256 SACK_PERM=1 2 | 0.000043 | 127.0.0.1 | 127.0.0.1 | TCP | 108 | 8883 → 53393 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=65495 WS=256 SACK_PERM=1 3 | 0.000078 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 53393 → 8883 [ACK] Seq=1 Ack=1 Win=2619648 Len=0 4 | 0.001964 | 127.0.0.1 | 127.0.0.1 | TLSv1.2 | 282 | Client Hello 5 | 0.002027 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 8883 → 53393 [ACK] Seq=1 Ack=199 Win=2619648 Len=0 6 | 0.003706 | 127.0.0.1 | 127.0.0.1 | TLSv1.2 | 2380 | Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done 7 | 0.003758 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 53393 → 8883 [ACK] Seq=199 Ack=2297 Win=2617344 Len=0 8 | 0.009369 | 127.0.0.1 | 127.0.0.1 | TLSv1.2 | 1011 | Certificate, Client Key Exchange 9 | 0.009431 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 8883 → 53393 [ACK] Seq=2297 Ack=1126 Win=2618624 Len=0 10 | 0.015558 | 127.0.0.1 | 127.0.0.1 | TLSv1.2 | 353 | Certificate Verify 11 | 0.015601 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 8883 → 53393 [ACK] Seq=2297 Ack=1395 Win=2618368 Len=0 12 | 0.015626 | 127.0.0.1 | 127.0.0.1 | TLSv1.2 | 90 | Change Cipher Spec 13 | 0.015637 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 8883 → 53393 [ACK] Seq=2297 Ack=1401 Win=2618368 Len=0 14 | 0.015814 | 127.0.0.1 | 127.0.0.1 | TLSv1.2 | 129 | Encrypted Handshake Message 15 | 0.015844 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 8883 → 53393 [ACK] Seq=2297 Ack=1446 Win=2618368 Len=0 16 | 0.015951 | 127.0.0.1 | 127.0.0.1 | TLSv1.2 | 135 | Change Cipher Spec, Encrypted Handshake Message 17 | 0.015985 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 53393 → 8883 [ACK] Seq=1446 Ack=2348 Win=2617344 Len=0 18 | 0.017382 | 127.0.0.1 | 127.0.0.1 | TLSv1.2 | 141 | Application Data 19 | 0.017402 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 8883 → 53393 [ACK] Seq=2348 Ack=1503 Win=2618368 Len=0 20 | 0.017580 | 127.0.0.1 | 127.0.0.1 | TLSv1.2 | 117 | Application Data 21 | 0.017603 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 53393 → 8883 [ACK] Seq=1503 Ack=2381 Win=2617344 Len=0

As expected the two-way handshake with protocol TLSv1.2 is perfomed and the connection is established. So there seems to be no problem with the certificates or the broker.

2) mqtt-cli - Connection not working Connection command: "con -se 100000 -i listener01 -p 8883 --cafile ca.crt --cert client.crt --key client.key --tls-version TLSv1.2"

No | Time | Source | Destination | Protocol | Length | Info 1 | 0.002832 | 127.0.0.1 | 127.0.0.1 | TCP | 108 | 53479 → 8883 [SYN] Seq=0 Win=65535 Len=0 MSS=65495 WS=256 SACK_PERM=1 2 | 0.002891 | 127.0.0.1 | 127.0.0.1 | TCP | 108 | 8883 → 53479 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=65495 WS=256 SACK_PERM=1 3 | 0.002933 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 53479 → 8883 [ACK] Seq=1 Ack=1 Win=2619648 Len=0 4 | 0.003502 | 127.0.0.1 | 127.0.0.1 | SSL | 114 | Continuation Data 5 | 0.003533 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 8883 → 53479 [ACK] Seq=1 Ack=31 Win=2619648 Len=0 6 | 0.004839 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 8883 → 53479 [RST, ACK] Seq=1 Ack=31 Win=0 Len=0

=> OpenSSL Error[0]: error:1408F10B:SSL routines:ssl3_get_record:wrong version number I would expect a TLSv1.2 "Client Hello" here instead of SLL "Continuation Data"

3) mqtt-cli - Not sending the client certificate leads to expected rejection by the broker Connection command: "con -se 100000 -i listener01 -p 8883 --cafile ca.crt --tls-version TLSv1.2"

No | Time | Source | Destination | Protocol | Length | Info 1 | 0.002642 | 127.0.0.1 | 127.0.0.1 | TCP | 108 | 53480 → 8883 [SYN] Seq=0 Win=65535 Len=0 MSS=65495 WS=256 SACK_PERM=1 2 | 0.002739 | 127.0.0.1 | 127.0.0.1 | TCP | 108 | 8883 → 53480 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=65495 WS=256 SACK_PERM=1 3 | 0.002873 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 53480 → 8883 [ACK] Seq=1 Ack=1 Win=2619648 Len=0 4 | 0.004035 | 127.0.0.1 | 127.0.0.1 | TLSv1.2 | 262 | Client Hello 5 | 0.004062 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 8883 → 53480 [ACK] Seq=1 Ack=179 Win=2619648 Len=0 6 | 0.004930 | 127.0.0.1 | 127.0.0.1 | TLSv1.2 | 2380 | Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done 7 | 0.004951 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 53480 → 8883 [ACK] Seq=179 Ack=2297 Win=2617344 Len=0 8 | 0.011797 | 127.0.0.1 | 127.0.0.1 | TLSv1.2 | 217 | Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 9 | 0.011826 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 8883 → 53480 [ACK] Seq=2297 Ack=312 Win=2619648 Len=0 10 | 0.011888 | 127.0.0.1 | 127.0.0.1 | TLSv1.2 | 91 | Alert (Level: Fatal, Description: Handshake Failure) 11 | 0.011909 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 53480 → 8883 [ACK] Seq=312 Ack=2304 Win=2617344 Len=0 12 | 0.012254 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 53480 → 8883 [FIN, ACK] Seq=312 Ack=2304 Win=2617344 Len=0 13 | 0.012276 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 8883 → 53480 [ACK] Seq=2304 Ack=313 Win=2619648 Len=0 14 | 0.012672 | 127.0.0.1 | 127.0.0.1 | TCP | 84 | 8883 → 53480 [RST, ACK] Seq=2304 Ack=313 Win=0 Len=0

=> OpenSSL Error[0]: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate This error is expected because i did not provide a client certificate. Also as expected the communication starts with TLS "Client Hello".

Conclusion: From what i can gather by these tests there seems to be a problem with using the correct TLS protocol in mqtt-cli when using client authentication via client certificates. ... or maybe there is somethign wrong with my connection command?