-->
Page 1 of 2

MQTT + TLS broke recently?

PostPosted: Sun Mar 19, 2017 12:36 am
by tjhowse
Hi all,

I've got an MQTT client connecting to a mosquitto server over TLS. I built firmware using nodemcu-build.com on 2017-01-04 and everything worked fine, using TLSv1.1. Now, with exactly the same modules selected, firmware built on 2017-03-19 causes SSL handshake errors upon connect.

With no TLS version forcing on the server, the old firmware connected with TLSv1.1. The new version attempts TLSv1.2. Forcing TLSv1.1 at the server with either firmwares doesn't help matters.

I've debugged using openssl s_server with old and new firmwares, with no code changes whatsoever between 2017-01-04 and 2017-03-19 firmwares.

Any suggestions? The TLS implementation on the nodemcu has clearly changed in recent times, given that it now attempts a TLSv1.2 connection. It seems this has broken something.

Thanks in advance,
tjhowse.

Re: MQTT + TLS broke recently?

PostPosted: Tue Mar 21, 2017 2:38 am
by marcelstoer
This is at least related to https://github.com/nodemcu/nodemcu-firmware/issues/1699, I guess it's exactly the same.

Re: MQTT + TLS broke recently?

PostPosted: Tue Mar 21, 2017 5:14 am
by tjhowse
Perhaps, but they're reporting that the MQTT client sends no packets when attempting a secure connection. I'm seeing five unicast packets from the node attempting to initiate the TLS session, and an error logged by OpenSSL on the server:

ACCEPT
ERROR
shutting down SSL
CONNECTION CLOSED

Here's the entire conversation in wireshark. 192.168.1.100 is my server, 192.168.1.209 is the ESP8266.
Image

Here's the same test, but running mosquitto on the server:

1490090932: New connection from 192.168.1.209 on port 8883.
1490090932: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
1490090932: Socket error on client <unknown>, disconnecting.

Image

If I revert to the 2017-01-04 firmware, the OpenSSL server establishes the TLSv1.1 tunnel and I get MQTT protocol data on my console. Running mosquitto the ESP8266 establishes the connection and talks normally.

I tried removing the connect fail callback from the mqtt:connect call, and it didn't help.

For the record,

New, broken:

NodeMCU custom build by frightanic.com
branch: master
commit: b96e31477ca1e207aa1c0cdc334539b1f7d3a7f0
SSL: true
modules: adc,bit,cjson,crypto,file,gpio,i2c,mqtt,net,node,ow,tmr,uart,wifi,tls
build built on: 2017-03-19 04:07
powered by Lua 5.1.4 on SDK 2.0.0(656edbf)

Old, working:

NodeMCU custom build by frightanic.com
branch: master
commit: 81ec3665cb5fe68eb8596612485cc206b65659c9
SSL: true
modules: adc,bit,cjson,crypto,file,gpio,i2c,mqtt,net,node,ow,tmr,uart,wifi,tls
build built on: 2017-01-04 01:11
powered by Lua 5.1.4 on SDK 1.5.4.1(39cb9a32)

Thanks,
tjhowse.

Re: MQTT + TLS broke recently?

PostPosted: Tue Mar 21, 2017 8:08 am
by marcelstoer
tjhowse wrote:The TLS implementation on the nodemcu has clearly changed in recent times


Espressif switched to mbed TLS from axTLS with the 2.0 SDK.

You can send a request to https://www.howsmyssl.com/s/api.html using the NodeMCU net module to have it evaluated the SSL/TLS capabilities. Then you can compare the results with the SSL/TLS capabilities of your broker. Might be that cipher suites don't match? axTLS didn't support TLS1.2 IIRC but mbed TLS does.