TLS issues with mosquitto-2.0.18

[tka85]

I have seen this issue but setting the value of tls_version in mqttwarn.ini, doesn't solve it.

Both mosquitto and mqttwarn are in single docker-compose.yaml. Using mqttwarn-full:latest image.

For both ini values tls_version = 'tlsv1_1' and tls_version = 'tlsv1_2', the compose logs are the same:

mosquitto  | 2024-02-08T13:35:14: mosquitto version 2.0.18 running
mqttwarn   | 2024-02-08 13:35:15,659 INFO     [mqttwarn.commands         ] Starting mqttwarn
mqttwarn   | 2024-02-08 13:35:15,660 INFO     [mqttwarn.commands         ] Log level is DEBUG
mqttwarn   | 2024-02-08 13:35:15,660 DEBUG    [mqttwarn.core             ] Trying to load built-in service "file" from "file"
mqttwarn   | 2024-02-08 13:35:15,664 DEBUG    [mqttwarn.core             ] Trying to load service "file" from file "/usr/local/lib/python3.11/site-packages/mqttwarn/services/file.py"
mqttwarn   | 2024-02-08 13:35:15,665 INFO     [mqttwarn.core             ] Successfully loaded service "file"
mqttwarn   | 2024-02-08 13:35:15,666 DEBUG    [mqttwarn.core             ] Trying to load built-in service "log" from "log"
mqttwarn   | 2024-02-08 13:35:15,666 DEBUG    [mqttwarn.core             ] Trying to load service "log" from file "/usr/local/lib/python3.11/site-packages/mqttwarn/services/log.py"
mqttwarn   | 2024-02-08 13:35:15,667 INFO     [mqttwarn.core             ] Successfully loaded service "log"
mqttwarn   | 2024-02-08 13:35:15,668 DEBUG    [mqttwarn.core             ] Attempting connection to MQTT broker mosquitto:30123
mqttwarn   | 2024-02-08 13:35:15,669 DEBUG    [mqttwarn.core             ] Setting LWT to /lwt/mqttwarn-mosquitto
mosquitto  | 2024-02-08T13:35:15: Client connection from 172.25.0.3 failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version.
mqttwarn   | 2024-02-08 13:35:15,678 INFO     [mqttwarn.core             ] Publishing status information to mqttwarn/$SYS
mqttwarn   | 2024-02-08 13:35:15,680 WARNING  [mqttwarn.core             ] b'Broker connection lost. Will attempt to reconnect in 5s'
mqttwarn   | 2024-02-08 13:35:15,680 DEBUG    [mqttwarn.core             ] Decoding JSON failed: Expecting value: line 1 column 1 (char 0). payload=Broker connection lost. Will attempt to reconnect in 5s
mqttwarn   | 2024-02-08 13:35:15,681 DEBUG    [mqttwarn.core             ] Message on brokerdisconnected going to log:error
mqttwarn   | 2024-02-08 13:35:15,681 DEBUG    [mqttwarn.core             ] New `log:error' job: brokerdisconnected
mqttwarn   | 2024-02-08 13:35:15,682 DEBUG    [mqttwarn.core             ] Message on brokerdisconnected going to file:mqttwarn
mqttwarn   | 2024-02-08 13:35:15,682 DEBUG    [mqttwarn.core             ] New `file:mqttwarn' job: brokerdisconnected

The mosquitto.conf is:

allow_anonymous false
password_file /mosquitto/config/mosquitto.passwd

persistence true
persistence_location /mosquitto/data

# MQTT over TLS
listener 30123 0.0.0.0
protocol mqtt
certfile /mosquitto/certs/fullchain.pem
keyfile /mosquitto/certs/privkey.pem

# MQTT over websocket with TLS
listener 30124 0.0.0.0
protocol websockets
certfile /mosquitto/certs/fullchain.pem
keyfile /mosquitto/certs/privkey.pem

Also makes no difference if in mqttwarn.ini the value of protocol is 3 or 4.

What am I missing? Should I downgrade to pre-2 mosquitto?

[amotl]

Dear @tka85,

thanks a stack for reporting this flaw. You might have discovered a bug, which should be addressed properly.

To confirm: This is the error you are observing, regardless how you adjust the value of the tls_version setting in mqttwarn.ini?

error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version.

With kind regards,
Andreas.

[tka85]

That is correct.

[amotl]

The relevant code is that:

mqttwarn/mqttwarn/core.py

Lines 661 to 673 in 9d61fc5

	if cf.tls is True:
	mqttc.tls_set(cf.ca_certs, cf.certfile, cf.keyfile, tls_version=cf.tls_version, ciphers=None)
	if cf.tls_insecure:
	mqttc.tls_insecure_set(True)
	try:
	mqttc.connect(cf.hostname, int(cf.port), 60)
	except Exception:
	logger.exception("Cannot connect to MQTT broker at %s:%d" % (cf.hostname, int(cf.port)))
	# TODO: Review this.
	sys.exit(2)

Can you try to edit it on your local installation, and report back how it goes when using tls_version=None instead, for example? Or isn't that possible, because you might be running mqttwarn as a container through Docker, Podman, Kubernetes, or friends?

NB: Ramping up a TLS-based environment takes a bit of effort, because the test sandbox of mqttwarn doesn't have it, yet. That's why we try to offload as much debugging matters on this topic as possible to your end, ;] and ask for your understanding about it. That being said, it would certainly be helpful to actually have a TLS-based integration test scenario. However, that will need corresponding enhancements to pytest-mqtt beforehand.

[tka85]

Yes, it's not possible. As mentioned initially, all is running as docker containers. And also since that was some time ago, we opted to use another broker. Mosquitto project was non-responsive and could not risk using a broker without any support (OS or otherwise).

[amotl]

Ah okay. What are you exactly referring to like "it's not possible"? You mean this isn't related to mqttwarn at all, and you can't connect to Mosquitto using TLS by any other means as well?

Or did you edit the code, as suggested, and it still isn't working? By chance, did you try to toggle tls_insecure, to remedy any eventual host name validation issues?

[amotl]

Or isn't that possible, because you might be running mqttwarn as a container through Docker, Podman, Kubernetes, or friends?

Yes, it's not possible.

Ah, right. Thanks!