Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

python paho mqtt client connection through ssl/tls giving an error

I am trying to connect my python paho mqtt client to my broker through tls using my own certificate authority. I generated necessary files and configured my RabbitMQ broker to use them. My idea is that the client authenticates the server but client itself doesn't need to be authenticated.

  • ca.cert.pem
  • cert.pem
  • key.pem

I know these should work correctly because I also have a scala paho mqtt client that works correctly.

Currently I am running the file directly from the terminal on my mac. I am using an virtuanenv created by python 3.5.2 and I have a file subscribe.py

import paho.mqtt.client as paho
import ssl

def on_message(clnt, userdata, msg):
    print(msg.topic+" "+str(msg.payload))

def on_connect(client, userdata, rc):
        print("Connected with result code "+str(rc))
        mqttc.subscribe("foo")

mqttc = paho.Client()
mqttc.on_message = on_message
mqttc.on_message = on_message
mqttc.tls_set("ca.cert.pem", tls_version=ssl.PROTOCOL_TLSv1_2)
mqttc.connect("address", 8883, 60)
mqttc.loop_forever()

When I run the file I receive the following error

ssl.SSLEOFError: EOF occurred in violation of protocol (_ssl.c:645)

I have also tried changing the tls_version to TLSv1_1, TLSv1 and leaving it out completely. ca.cert.pem is in the same folder as the subscribe.py file

The example on paho website seems very simple so what am I missing here? Why do I receive the error on my python client?

like image 339
sergei Avatar asked Oct 29 '22 21:10

sergei


1 Answers

Have you tried mosquitto clients? There are lots of possibility for the problem you have encountered, so best way to figured it out is trying another way.

mosquitto_sub -h address -p 8883 --cafile ca.cert.pem -t "#" -d -v

d flag is for debug messages, v flag is verbose mode.

If mosquitto client cannot connect with ca, you can try:

mosquitto_sub -h address -p 8883 --cafile ca.cert.pem -t "#" -d -v --insecure

The insecure flag will ignore CA checking for server. If add the insecure flag can make you connected, then maybe the CA is wrong. You can use openssl to debug it then.

like image 176
Asoul Avatar answered Nov 15 '22 06:11

Asoul