Hi Roger I tried to test the connection with mosquitto_sub as you suggested. When I invoked mosquitto_sub -t \$SYS/# -h <host> --cafile <file> --cert <file> --key <file> I got the same "no certificate returned" error.
I upgraded to 1.0.4 and tried again: 1) removed all SSL configuration and restarted the broker. Now when I invoke mosquitto_sub -v -t \$SYS/# it seems to be working fine. 2) added all SSL config, but with require_certificate false Now when I invoke mosquitto_sub -d -v -t \$SYS/# --cafile etc/ca.crt Client mosqsub/2360-ip-10-114- sending CONNECT Error: The connection was lost. and The mosquito process is gone ! The complete log file shows mosquitto version 1.0.4 (build date 2012-10-18 02:25:54+0000) starting Opening ipv4 listen socket on port 1883. Opening ipv6 listen socket on port 1883. New connection from 127.0.0.1. The relevant mosquito.conf lines look like this # SSL listener listener 1883 cafile /home/ubuntu/etc/ca.crt certfile /home/ubuntu/etc/server.crt keyfile /home/ubuntu/etc/server.key require_certificate false use_identity_as_username true max_connections -1 -----Original Message----- From: mosquitto-users-bounces+sharon.ben-asher=avg....@lists.launchpad.net [mailto:mosquitto-users-bounces+sharon.ben-asher=avg....@lists.launchpad.net] On Behalf Of Roger Light Sent: Sunday, October 21, 2012 11:28 PM To: mosquitto-users@lists.launchpad.net Subject: Re: [Mosquitto-users] SSL connection from Java client to mosquitto broker: "no certificate returned" Dear Sharon, > By the way, after tweaking kernel params, I was able to open 100K > concurrent clients to one broker instance on a medium sized EC2 > machine. Good work, mosquitto! That's great to hear! Thanks for letting me know. > Now I am trying to set up a secured connection using SSL. I want to > authenticate the client using a client certificate. ... > I figured that the CA certificate is used for the client to > authenticate the server, while the client key and certificate are used > for the server to authenticate the client. Yes, exactly. If require_certificate is false it's the same principle as used in web browsers. Clients trust servers that have had their certificate signed by CAs that the client have the CA cert loaded. In web browsers there are typically a big list of CA certificates loaded of course, whereas there is no real need for that here (nothing to stop it of course). If require_certificate is true, the same thing happens in the opposite way as well - clients have to have certificates signed by the CA that the server trusts. > So I here is what I did on the Java side: That all sounds plausible, but I've got no real experience of Java so it's difficult to comment on the details I'm afraid. > When I do the connect, I get the following error from mosquitto > > OpenSSL Error: error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no > certificate returned That's the same error I'd expect (and get through some testing) if the client isn't sending a client certificate. Have you tested your client certificate/key with mosquitto_sub? This should work: mosquitto_sub -t \$SYS/# -h <host> --cafile <file> --cert <file> --key <file> And this should reproduce the above error: mosquitto_sub -t \$SYS/# -h <host> --cafile <file> > SSLContext context = SSLContext.getInstance("SSLv3"); You should note that as it stands mosquitto only allows the use of the TLSv1 protocol so the above should fail. It ought to fail earlier on in the connection though, so I don't think it should contribute to your error. I presume you've patched to use SSLv3 instead. It should really be user configurable but as there isn't any need to be backwards compatible I didn't think allowing older versions was necessary. Cheers, Roger -- Mailing list: https://launchpad.net/~mosquitto-users Post to : mosquitto-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~mosquitto-users More help : https://help.launchpad.net/ListHelp -- Mailing list: https://launchpad.net/~mosquitto-users Post to : mosquitto-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~mosquitto-users More help : https://help.launchpad.net/ListHelp
