Can't connect to ssl websocket listener

kimcameron · January 29, 2021, 9:45pm

Evaluating HiveMQ had no problem getting unprotected websockets working or setting up TCP SSL. listener.

However very frustrating can’t get SSL websockets listener to respond to any test tool. Yet the HiveMQ startup messages look OK. Running on ubuntu. Here are the startup messages. The config follows it.

How can I debug what is happening?

Thx

Started HiveMQ Control Center in 3822ms
2021-01-29 04:33:47,826 INFO - Enabled protocols for Websocket Listener with TLS at address 0.0.0.0 and port 8000: [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
2021-01-29 04:33:47,826 INFO - Enabled cipher suites for Websocket Listener with TLS at address 0.0.0.0 and port 8000: [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384]
2021-01-29 04:33:47,871 INFO - Starting Websocket TLS listener on address 0.0.0.0 and port 8000
2021-01-29 04:33:48,264 INFO - Started Websocket Listener with TLS on address 0.0.0.0 and on port 8000
2021-01-29 04:33:48,272 INFO - Started HiveMQ in 96568ms

<?xml version="1.0"?>

<listeners>
    <tls-websocket-listener>
        <port>8000</port>
        <bind-address>0.0.0.0</bind-address>
        <path>/mqtt</path>
        <subprotocols>
            <subprotocol>mqttv3.1</subprotocol>
            <subprotocol>mqtt</subprotocol>
        </subprotocols>
        <allow-extensions>false</allow-extensions>
        <tls>
            <keystore>
                <path>/opt/hivemq/keys/my-keystore.jks</path>
                <password>my-password</password>
                <private-key-password>my-password</private-key-password>
            </keystore>
            <client-authentication-mode>NONE</client-authentication-mode>
        </tls>
    </tls-websocket-listener>
</listeners>

sauroter · January 29, 2021, 6:08am

Hi @kimcameron,

Great to see, that you are interested in secure IoT communication.

Did you inspect the output of the openssl s_client?

$> openssl s_client -connect <broker-address>:8000 -msg -debug

It is a great tool for troubleshooting ssl connections. A good tutorial can be found here.

Have a great day

Georg

kimcameron · January 29, 2021, 12:33pm

Thanks very much @suroter - very good to learn about the tool. When run it validates the certificate and seems to be waiting for input, but I don’t know what to enter. After several seconds it closes.

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: F619530B8BFBBB4658E58AB1A2B8FEA37A5707E87C4A3D1AD60F687AF7CB49A5
Session-ID-ctx:
Resumption PSK: 190C8C3F98E65B741D111FDCF0880E4908FB61E88CD76D367A27DE89D881ABEE
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - 2b 96 62 0b dc 4f 46 b4-31 ee ab 5a 18 2b 6c c6 +.b…OF.1…Z.+l.
0010 - db 85 78 22 c3 a4 d0 d4-ca 93 a6 f5 66 28 d0 1c …x"…f(…

Start Time: 1611920509
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

read R BLOCK

( ************** several seconds pass *****************)

read from 0x55c22fa5b710 [0x55c22fa62843] (5 bytes => 5 (0x5))
0000 - 17 03 03 00 23 …#
<<< ??? [length 0005]
17 03 03 00 23
read from 0x55c22fa5b710 [0x55c22fa62848] (35 bytes => 35 (0x23))
0000 - d9 50 7a a8 bf e3 61 86-a5 16 6a 3c cf 39 10 19 .Pz…a…j<.9…
0010 - 7a a5 bb c8 2e 7c 7b fc-00 93 2b 8c 37 d9 43 f2 z…|{…+.7.C.
0020 - c1 c0 3e …>
<<< TLS 1.3 [length 0001]
15
<<< TLS 1.3, Alert [length 0002], warning close_notify
01 00
closed

I don’t see obvious errors but don’t know how to initiate the wss protocol conversiation once the tls is achieved.

I’m using a godaddy wildcard certificate for *.itsourweb.org. The wildcard works on the tcp listener but I’m wondering if the ssl-websockets listener is unable to accept it or if there is some other reason. How do I get to the logs on the hivemq server side?

kimcameron · January 29, 2021, 12:42pm

Also, though the pictures show an “SSL” checkbox on the app, when I run the hivemq client at MQTT Websocket Client there is no such checkbox. How do I get it to connect via SSL?

kimcameron · January 29, 2021, 6:32pm

Problem located: the ssl-websocket-listener does NOT work with wildcard certs such as *.itsourweb.org. I put in a regular cert from the same CA and all is well - I can connect from a client based on your websocket test api.

I would definitely call the issue with wildcard certs a bug. Please let me know if you agree. I would like to see it fixed for those of us who rely on them.

Also, as a newbie to your websocket implementation this cost me a LOT of time.

Thanks

Kim

lbrandl · February 5, 2021, 9:35am

Hi @kimcameron,

We couldn’t reproduce the issue you are describing.
In general websocket listener work with wildcard certificates.

Kind regards,
Lukas

kimcameron · February 6, 2021, 1:30am

Since it is just a test certificate (though issued by godaddy) I can send it to you with the necessary key and cert files so you can try it at your end. it definitely did not work with was listener but did work with ssl tcp.