I have simple MQTT Mosquitto server running on my Raspberry Pi in local network and Windows machine with simple java application in Eclipse IDE. Everything works fine if I run test application mosquitto_sub from my Windows machine:
mosquitto_sub -h 192.168.1.8 -t sensor --cafile c:\projects\certs\ca.crt --cert c:\projects\certs\client.crt --key c:\projects\certs\client.key -p 8884 -d -u b -P b
I got exception below in case I run my Java programm:
MqttException (0) - javax.net.ssl.SSLHandshakeException: No subject alternative names present
at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:736)
at java.base/java.lang.Thread.run(Thread.java:830)
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names present
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:641)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:460)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1460)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1368)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:437)
at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:149)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:722)
... 1 more
Java programm code:
package artifact_id;
import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.FileReader;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMDecryptorProvider;
import org.bouncycastle.openssl.PEMEncryptedKeyPair;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
import org.eclipse.paho.client.mqttv3.MqttClient;
import org.eclipse.paho.client.mqttv3.MqttConnectOptions;
import org.eclipse.paho.client.mqttv3.MqttException;
public class TestMQTT2 {
public static void main(String[] args) {
String serverUrl = "ssl://192.168.1.8:8884";
String path= "C:\\projects\\certs\\";
String caFilePath =path+"ca.crt";
String clientCrtFilePath = path+ "client.crt";
String clientKeyFilePath = path+ "client.key";
String mqttUserName = "b";
String mqttPassword = "b";
MqttClient client;
try {
client = new MqttClient(serverUrl, "2");
MqttConnectOptions options = new MqttConnectOptions();
options.setUserName(mqttUserName);
options.setPassword(mqttPassword.toCharArray());
options.setConnectionTimeout(60);
options.setKeepAliveInterval(60);
options.setMqttVersion(MqttConnectOptions.MQTT_VERSION_3_1);
SSLSocketFactory socketFactory = getSocketFactory(caFilePath,clientCrtFilePath, clientKeyFilePath, "");
options.setSocketFactory(socketFactory);
System.out.println("starting connect the server...");
client.connect(options);
System.out.println("connected!");
Thread.sleep(1000);
client.subscribe(
"/u/56ca327d17531d08e76bddd4a215e37f5fd6082f7442151c4d3f1d100a0ffd4e",
0);
client.disconnect();
System.out.println("disconnected!");
} catch (MqttException e) {
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
}
}
private static SSLSocketFactory getSocketFactory(final String caCrtFile,
final String crtFile, final String keyFile, final String password)
throws Exception {
Security.addProvider(new BouncyCastleProvider());
// load CA certificate
X509Certificate caCert = null;
FileInputStream fis = new FileInputStream(caCrtFile);
BufferedInputStream bis = new BufferedInputStream(fis);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
while (bis.available() > 0) {
caCert = (X509Certificate) cf.generateCertificate(bis);
// System.out.println(caCert.toString());
}
// load client certificate
bis = new BufferedInputStream(new FileInputStream(crtFile));
X509Certificate cert = null;
while (bis.available() > 0) {
cert = (X509Certificate) cf.generateCertificate(bis);
// System.out.println(caCert.toString());
}
// load client private key
PEMParser pemParser = new PEMParser(new FileReader(keyFile));
Object object = pemParser.readObject();
PEMDecryptorProvider decProv = new JcePEMDecryptorProviderBuilder()
.build(password.toCharArray());
JcaPEMKeyConverter converter = new JcaPEMKeyConverter()
.setProvider("BC");
KeyPair key;
if (object instanceof PEMEncryptedKeyPair) {
System.out.println("Encrypted key - we will use provided password");
key = converter.getKeyPair(((PEMEncryptedKeyPair) object)
.decryptKeyPair(decProv));
} else {
System.out.println("Unencrypted key - no password needed");
key = converter.getKeyPair((PEMKeyPair) object);
}
pemParser.close();
// CA certificate is used to authenticate server
KeyStore caKs = KeyStore.getInstance(KeyStore.getDefaultType());
caKs.load(null, null);
caKs.setCertificateEntry("ca-certificate", caCert);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
tmf.init(caKs);
// client key and certificates are sent to server so it can authenticate
// us
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null, null);
ks.setCertificateEntry("certificate", cert);
ks.setKeyEntry("private-key", key.getPrivate(), password.toCharArray(),
new java.security.cert.Certificate[] { cert });
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory
.getDefaultAlgorithm());
kmf.init(ks, password.toCharArray());
// finally, create SSL socket factory
SSLContext context = SSLContext.getInstance("TLSv1.2");
context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
return context.getSocketFactory();
}
}
I was using same certificates as with mosquitto_sub.exe.
Certificates was generated in server machine according to routine below:
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=LT/ST=Some-State/O=KPV/CN=192.168.1.8"
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key -subj "/C=LT/ST=Some-State/O=Internet Widgits Pty Ltd/CN=192.168.1.8"
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 720
openssl genrsa -out client.key 2048
openssl req -new -out client.csr -key client.key -subj "/C=LT/ST=Some-State/O=Internet Widgits Pty Ltd/CN=192.168.1.103"
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 720
Looks like I have problem with CN name in certificate, but how to fix that and why I dont have souch problem in test application mosquitto_sub.exe ?
UPD More debug before exception:
javax.net.ssl|INFO|0D|MQTT Con: 2|2020-01-07 17:44:03.059 EET|AlpnExtension.java:161|No available application protocols
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.060 EET|SSLExtensions.java:257|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.060 EET|SessionTicketExtension.java:396|Stateless resumption not supported
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.060 EET|SSLExtensions.java:257|Ignore, context unavailable extension: session_ticket
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.061 EET|SSLExtensions.java:257|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.064 EET|ClientHello.java:652|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "1C 28 DD BE 41 96 3B 8F A6 22 7E CB 82 E2 0B 0E EF 76 40 6C D5 15 13 BF E0 7C AB 41 70 05 2B F1",
"session id" : "",
"cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=192.168.1.8
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.2, TLSv1.1, TLSv1]
}
]
}
)
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.070 EET|ServerHello.java:887|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "6E 73 51 92 10 7B F4 71 50 89 30 98 CB DC 33 27 EA 68 5D 31 94 21 CA D2 3C 1F 01 73 B9 3B 27 6C",
"session id" : "75 88 F5 E8 C1 D6 04 15 B6 9C BC 00 F8 01 97 5E B2 26 D9 72 CD EB D0 20 2F 11 33 10 F4 F9 70 56",
"cipher suite" : "TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D)",
"compression methods" : "00",
"extensions" : [
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.070 EET|SSLExtensions.java:170|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.070 EET|ServerHello.java:983|Negotiated protocol version: TLSv1.2
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.071 EET|SSLExtensions.java:189|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.071 EET|SSLExtensions.java:170|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.071 EET|SSLExtensions.java:170|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.071 EET|SSLExtensions.java:170|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.072 EET|SSLExtensions.java:170|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.072 EET|SSLExtensions.java:170|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.072 EET|SSLExtensions.java:170|Ignore unavailable extension: session_ticket
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.072 EET|SSLExtensions.java:189|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.072 EET|SSLExtensions.java:204|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.072 EET|SSLExtensions.java:204|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.072 EET|SSLExtensions.java:204|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.073 EET|SSLExtensions.java:204|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.073 EET|SSLExtensions.java:204|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.073 EET|SSLExtensions.java:204|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.073 EET|SSLExtensions.java:204|Ignore unavailable extension: extended_master_secret
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.073 EET|SSLExtensions.java:204|Ignore unavailable extension: session_ticket
javax.net.ssl|WARNING|0D|MQTT Con: 2|2020-01-07 17:44:03.073 EET|SSLExtensions.java:212|Ignore impact of unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|0D|MQTT Con: 2|2020-01-07 17:44:03.079 EET|CertificateMessage.java:357|Consuming server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v1",
"serial number" : "00 9B F1 5B 97 E0 29 8B C5",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=192.168.1.8, O=KPV, ST=Some-State, C=LT",
"not before" : "2020-01-07 14:55:40.000 EET",
"not after" : "2021-12-27 14:55:40.000 EET",
"subject" : "CN=192.168.1.8, O=Internet Widgits Pty Ltd, ST=Some-State, C=LT",
"subject public key" : "RSA"},
"certificate" : {
"version" : "v3",
"serial number" : "00 97 DB 51 A5 2E 74 11 D5",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=192.168.1.8, O=KPV, ST=Some-State, C=LT",
"not before" : "2020-01-07 14:55:08.000 EET",
"not after" : "2030-01-04 14:55:08.000 EET",
"subject" : "CN=192.168.1.8, O=KPV, ST=Some-State, C=LT",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: EE 78 20 C5 B4 0F 52 AE 10 78 6D 4F E6 F9 01 FC .x ...R..xmO....
0010: C5 FE 43 3A ..C:
]
]
},
{
ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EE 78 20 C5 B4 0F 52 AE 10 78 6D 4F E6 F9 01 FC .x ...R..xmO....
0010: C5 FE 43 3A ..C:
]
]
}
]}
]
)
UPD
I added SAN to my CA certificate, but still have same error:
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=192.168.1.8, O=Internet Widgits Pty Ltd, L=London, ST=Some-State, C=LT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 26919970067664277046938740179646593770595070258539214027906489317270223306613773873574865971989417280121938347002713257983436007635951198166738943346774588648713868326559124372172220920255122744458481363586362998906174514508772548930887656233482327964167952459414376684269324538787753885909740701792244833405807399341202234562923325267930504133404200586110018959746363653784682525123525070031800151860156030452288371417726351186685188182156815653674462798515566058503087254867011627827960607372111926413977520280936130030617572396272525859532888254937560715723226670006379354402328441621835955075995305208788762081261
public exponent: 65537
Validity: [From: Sat Jan 11 23:48:05 EET 2020,
To: Fri Dec 31 23:48:05 EET 2021]
Issuer: CN=192.168.1.8, O=KKK, L=London, ST=Some-State, C=LT
SerialNumber: [ ecd92b00 b3fb8404]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 10 F0 2D F7 A9 DE A8 8A 57 71 48 8E 32 CF E4 EC ..-.....WqH.2...
0010: 6A 3B CD CB C9 85 31 72 15 75 DA 31 C6 43 28 F1 j;....1r.u.1.C(.
0020: 83 8B E2 4A A9 3E 61 CB FE FD FB 29 17 2F 52 C4 ...J.>a....)./R.
0030: 78 0F 98 C4 B4 07 52 EA 5D DF 3C 0F E7 6B 40 D6 x.....R.].<..k@.
0040: 0D 49 30 09 86 95 12 45 4B 80 2F F0 88 E1 51 51 .I0....EK./...QQ
0050: C3 00 9B 3F AE 9D BD 60 C3 53 62 61 EC 27 6C 0A ...?...`.Sba.'l.
0060: 9D 05 E1 C1 FE 47 1C C5 C2 73 E9 83 EB AC 40 35 .....G...s....@5
0070: AA DF 91 08 D1 1F 7C 88 D4 AA E4 0B 5E 76 96 C4 ............^v..
0080: 3F A4 D1 EC 0A FA 92 62 6D 4D 60 6E 09 C1 15 7A ?......bmM`n...z
0090: EF 69 F8 D2 97 34 6B 85 17 DB EB E0 85 5B 65 A6 .i...4k......[e.
00A0: F9 DE 36 E3 2B 3E 6F 66 E4 8E CE C3 1B 03 35 A1 ..6.+>of......5.
00B0: 5F 69 23 7B E7 14 3C F4 55 76 A0 2A BE 2D D1 E5 _i#...<.Uv.*.-..
00C0: FB DD BB F8 35 53 74 36 03 1B BA 50 1D CE 05 9A ....5St6...P....
00D0: CC 97 53 7A DD D8 6E 37 E7 F8 09 8A A2 6F 0D 33 ..Sz..n7.....o.3
00E0: 54 48 F3 8F EF E8 88 2C 08 AF A7 9B 36 4B A5 A1 TH.....,....6K..
00F0: B3 B3 59 BD 7D 4F 7F 2A A8 9A F5 0C 47 7D 24 7A ..Y..O.*....G.$z
]
chain [1] = [
[
Version: V3
Subject: CN=192.168.1.8, O=KKK, L=London, ST=Some-State, C=LT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 31551203319810981527233108446277563899213631125603579886371381656574566442248231160813967318138442441980845850377045783621105463065795094893428617296088707718259604057777847574260781634181942686117058391728751388056270282953662924658304160145891369274665499267192236359779564085533171204924942738308750731046065622639002103867771100617956654808689710961525820799371720055164697637203950227358935150462633808444574452627369987264554040538022692854734546152796362958992623680453477746700586578324657604996075661091524016670709534134322927064318932802387986606076073044828169821618812887782445389598990772050583953284467
public exponent: 65537
Validity: [From: Sat Jan 11 23:47:58 EET 2020,
To: Tue Jan 08 23:47:58 EET 2030]
Issuer: CN=192.168.1.8, O=KKK, L=London, ST=Some-State, C=LT
SerialNumber: [ 8bc631cb f446d8a2]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: 192.168.1.8
DNSName: glass
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 71 8F 65 90 D5 B3 74 DA 56 2F 11 B0 26 83 B1 D6 q.e...t.V/..&...
0010: 2A B7 3B B3 EC 00 C4 B5 97 94 72 7F 8F 8B 59 96 *.;.......r...Y.
0020: B0 B2 8D 09 6C 04 9D CE A7 F6 C8 9B 4D FA 10 77 ....l.......M..w
0030: 73 57 61 C2 D3 02 00 98 AC AC 17 2E B2 94 24 BD sWa...........$.
0040: 3E D0 F3 8F 65 36 DE 47 19 27 30 13 6D 8C 98 16 >...e6.G.'0.m...
0050: D5 31 B0 41 11 35 76 E4 B9 C8 5B F9 20 5C 2C BC .1.A.5v...[. \,.
0060: 75 6C 2F 9D D2 5B BE 11 61 59 48 D6 75 37 60 A7 ul/..[..aYH.u7`.
0070: 24 79 DF C4 A5 BE 92 6F C0 8F 2E F1 AC 41 71 07 $y.....o.....Aq.
0080: 95 6B C6 FA E1 B3 75 76 1D 35 1E 5E 8E 14 E4 D8 .k....uv.5.^....
0090: 33 46 9F B9 98 99 70 C2 8A E6 AF 6C E8 E7 71 71 3F....p....l..qq
00A0: 76 A5 9C 0E 47 F5 24 EC 45 3C 49 EC 3F 5F 81 BA v...G.$.E<I.?_..
00B0: CD C6 C1 31 C2 CC 4D E5 CA 88 C8 34 85 91 51 A3 ...1..M....4..Q.
00C0: 6C CB 7E 69 12 1E B8 A7 EE 3B 67 D8 7D 4D 4E 6E l..i.....;g..MNn
00D0: 05 BC F1 E6 BA 05 DF A9 99 6B 27 D8 62 CD C8 F6 .........k'.b...
00E0: BF 7D 0D 39 BD 54 86 ED CE 99 D7 89 45 6F 65 4A ...9.T......EoeJ
00F0: A3 C9 9A 69 EE 46 14 6E EF 61 64 20 82 01 E8 A5 ...i.F.n.ad ....
]
***
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_256_GCM_SHA384]
MQTT Con: 2, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
MQTT Con: 2, WRITE: TLSv1.2 Alert, length = 2
MQTT Con: 2, called closeSocket()
MQTT Con: 2, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
MQTT Con: 2, called close()
MQTT Con: 2, called closeInternal(true)
MqttException (0) - javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:736)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1640)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:149)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:722)
... 1 more
Caused by: java.security.cert.CertificateException: No subject alternative names present
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:145)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:427)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:209)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1622)
... 10 more
