HiveMQ

Unable to connect via SSL

Hello everybody,

this is my first post here…so let’s how it will work out…

We are currently trying to switch from Eclipse Paho MQTT client to the new HiveMy client library (version 1.2)

For testing purpose we set up a local HiveMQ 4.4 broker with SSL Listener enabled at standard port 8883 using a server side JKS file used as the “KeyStore”.

We also have the corresponding client side JKS file which would be the “TrustStore” with defined password.

Using MQTT.fx locally we are able to connect with SSL using exactly this client side JKS file with password without problems.

However when trying to connect with the hivemq client we keep getting this exception:

Could not connect...
com.hivemq.client.mqtt.exceptions.ConnectionFailedException: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 127.0.0.1 found
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 127.0.0.1 found
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320)
	
	...
	
		at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
	at java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:160)
	at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:429)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:619)
	... 32 more

Here is our test code:

    @Test
    public void asyncConnectPublish() throws ExecutionException, InterruptedException, IOException, NoSuchAlgorithmException, KeyStoreException, CertificateException {

        final String jksPath = "C:\\Temp\\jks\\hivemq_ext\\hivemq.jks";

        final String jksPW = "***";

        final InputStream inputStream = new FileInputStream(new File(jksPath));
        KeyStore trustStore = KeyStore.getInstance("JKS");
        trustStore.load(inputStream, jksPW.toCharArray());

        final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(trustStore);

        final Mqtt3AsyncClient client = MqttClient.builder()
                .identifier("myTestClient_" + UUID.randomUUID().toString().substring(0, 7))
                .serverHost("127.0.0.1")
                .serverPort(8883)
                .sslConfig()
                    .trustManagerFactory(trustManagerFactory)
                    .applySslConfig()
                .useMqttVersion3()
                .buildAsync();

        final Mqtt3ConnAck mqtt3ConnAck = client.connectWith()
                .simpleAuth()
                    .username("admin")
                    .password("***".getBytes())
                    .applySimpleAuth()
                .send()
                .whenComplete((connAck, throwable) -> {
                    if (throwable != null) {
                        // Handle connection failure
                        System.out.println("Could not connect...");
                        throwable.printStackTrace();
                    } else {
                        System.out.println("Mqtt Client connected.");
                        // Setup subscribes or start publishing
                    }
                })
                .get();

        assertNotNull(mqtt3ConnAck);
    }

We are quite clueless what could be the problem since this config works fine in MQTT.fx
Any help would be greatly appreciated!

Thank you,
Johannes

We think we have found to issue.
Die Certificate was initially generated for a different hostname.
Paho Client does not care about it (it seems to use a different SSL implementation(?)).
The SSL lib, hivemq client is using seems to check if the broker hostname is the right one (from the certificate) and throws this error.

So we need dedicated certificates (and therefore JKS files) für each Hostname DNS we want to connect to…