I’m trying to debug a hostname check TLS issue.
I’m using Tortoise to connect to my MQTT broker hosted at HiveMQ cloud using TLS. Everything is fine, until I’m trying to set verify: :verify_peer
. I’m completely lost, as I can connect from the Phoenix app to other brokers just fine, eg. to test.mosquitto.org
. Moreover, I can connect to my HiveMQ broker with TLS using mosquitto_sub
and supposedly, It verifies the cert I’m passing to it using the --cafile
option.
Here is an example config that works:
mosquitto_sub -v -h test.mosquitto.org -t "#" -p 8885 -u ro -P readonly --cafile ~/mosquitto_test/mosquitto.org.crt`
config :napos, :mqtt,
server: {
Tortoise311.Transport.SSL,
# TODO: on prod we should remove verify_none and use the server's cert chain, we should remove
host: "test.mosquitto.org",
port: 8885,
cacertfile: "path/to/mosquitto.org.crt" |> String.to_charlist(),
verify: :verify_peer
},
# ClientID needs to be unique!
client_id: System.get_env("MQTT_CLIENTID", "random_string_just_to_avoid_collision"),
user_name: "ro",
password: "readonly",
handler: {Napos.DeviceQueueHandler, []},
subscriptions: [
{"#", 1},
]
According to the Tortoise docs the cacertfile
should be passed as a charlist, though it worked with a string as well for me.
The test.mosquitto.org cert can be downloaded from here, while the hivemq cloud cert can be downloaded from here.
My HiveMQ config is exactly the same as above, only replacing the cert file, user, password, URL and port fields with their respective values for HiveMQ. The connection even with TLS works fine, until I try to remove verify: verify_none
, or set it to verify: :verify_peer
. Then I get this:
GenServer {Tortoise.Registry, {Tortoise.Connection, "serverkjbagskjbagbjklagbksajgbsalgfalfa"}} terminating
** (stop) {:tls_alert, {:handshake_failure, ~c"TLS client: In state certify at ssl_handshake.erl:2135 generated CLIENT ALERT: Fatal - Handshake Failure\n {bad_cert,hostname_check_failed}"}}
From what I can tell reading the code, it simply passes all parameters to :ssl.connect/4
, so seeing the hostname check failure, I tried to set :sni
to the hostname of the broker, though I’m not sure I understand the :ssl docs on :sni correctly.
Right now I’m a bit stuck. As parts of what I need to do either work with another client on the same broker, or from the same app on another broker, I don’t really know where to look further, or how could I get more verbose info on what might be going wrong.