0

I'm trying to switch all my communication in a secure way, and the websocket is a realy big deal for me.

I using mosquitto in backend to serve data, and I want handle wss connection. unfortunatly, all my connection failed with the

WebSocket connection to 'wss://192.168.x.PORT/mqtt' failed

Here is my mosquitto config file :

user daemon

#Standart port for encrypted MQTT
listener 8883
protocol mqtt
# cafile  /etc/mosquitto/tls/ca/ca.crt
# certfile /etc/mosquitto/tls/broker/broker.crt
# keyfile /etc/mosquitto/tls/broker/broker.key
# require_certificate true

#old port encrypted in case
listener 1883
protocol mqtt
# cafile  /etc/mosquitto/tls/ca/ca.crt
# certfile /etc/mosquitto/tls/broker/broker.crt
# keyfile /etc/mosquitto/tls/broker/broker.key
#require_certificate true

listener 9001
protocol websockets
cafile /etc/mosquitto/tls/m2mqtt_ca.crt
certfile /etc/mosquitto/tls/borker/m2mqtt_srv.crt
keyfile /etc/mosquitto/tls/borker/m2mqtt_srv.key
tls_version tlsv1.2
allow_anonymous true
require_certificate false

The browser connect to the port 9001 and my local server who bring data connected on localhost:8883

Here is the mosquitto logs :

1970-02-26_21:59:53.65784 4917593: mosquitto version 1.4.14 (build date 2021-12-16 14:48:43+0100) starting
1970-02-26_21:59:53.65949 4917593: Config loaded from /etc/mosquitto/mosquitto.conf.
1970-02-26_21:59:53.68685 4917593: Opening ipv4 listen socket on port 8883.
1970-02-26_21:59:53.69108 4917593: Opening ipv6 listen socket on port 8883.
1970-02-26_21:59:53.69356 4917593: Opening ipv4 listen socket on port 1883.
1970-02-26_21:59:53.69875 4917593: Opening ipv6 listen socket on port 1883.
1970-02-26_21:59:53.71940 4917593: Opening websockets listen socket on port 9001.
1970-02-26_22:00:08.62160 4917608: New connection from 127.0.0.1 on port 8883.
1970-02-26_22:00:08.63007 4917608: New client connected from 127.0.0.1 as butler (c1, k0).
1970-02-26_22:00:08.63265 4917608: Sending CONNACK to butler (0, 0)
1970-02-26_22:00:08.65672 4917608: Received SUBSCRIBE from butler
1970-02-26_22:00:08.65681 4917608:      butler/settings/set (QoS 0)
1970-02-26_22:00:08.65685 4917608: butler 0 butler/settings/set
1970-02-26_22:00:08.65688 4917608: Sending SUBACK to butler
1970-02-26_22:00:08.66205 4917608: Received PUBLISH from butler (d0, q0, r1, m0, 'butler/version', ... (7 bytes))
1970-02-26_22:00:08.69587 4917608: Received PUBLISH from butler (d0, q0, r0, m0, 'butler/settings', ... (573 bytes))
1970-02-26_22:00:09.19902 4917609: Received PUBLISH from butler (d0, q0, r0, m0, 'butler/settings', ... (28373 bytes))
1970-02-26_22:00:09.21120 4917609: Received PUBLISH from butler (d0, q0, r0, m0, 'butler/settings', ... (43 bytes))
1970-02-26_22:00:09.21305 4917609: Received PUBLISH from butler (d0, q0, r0, m0, 'butler/settings', ... (67 bytes))
1970-02-26_22:00:09.21504 4917609: Received PUBLISH from butler (d0, q0, r0, m0, 'butler/settings', ... (83 bytes))

Here is my js code to connect to the websocket :

ClientImpl.prototype._doConnect = function(wsurl) {
            // When the socket is open, this client will send the CONNECT WireMessage using the saved parameters.
            this.connectOptions.useSSL = true;
            if (this.connectOptions.useSSL) {
                var uriParts = wsurl.split(":");
                uriParts[0] = "wss";
                wsurl = uriParts.join(":");
            }
            this._wsuri = wsurl;
            this.connected = false;

            const options = {
                rejectUnauthorized: false
            }

            if (this.connectOptions.mqttVersion < 4) {
                this.socket = new WebSocket(wsurl, ["mqttv3.1"], options);
            } else {
                this.socket = new WebSocket(wsurl, ["mqtt"], options);
            }
}

EDIT I check in wireshark, the connection (SYN,ACK) done the job, but the client hello in tls failed... enter image description here Sorry I cant convert in text mode

EDIT 2

I worked on my problem and I made a ws connection to mosquitto (I enable the network.websocket.allowInsecureFromHTTPS parameter in firefox) and it works ! So i identify the problem : mosquitto doesn't activate wss... I change the config file also

How can I fix this ? Thanks in advance !

Lilian Russo
  • 49
  • 8
  • Did it work before you added certificate options with just `ws://` (you will need to load the page via http not https to be able to connect via ws://). Also please do not post images of the logs, post the actual text, it's much easier to read and can be read by those that use screen readers. – hardillb Dec 16 '21 at 13:22
  • The logs don't even show anything trying to connect to port 9001. Are you sure the port is open in the firewall? – hardillb Dec 16 '21 at 13:24
  • This work with ws://, but my website is now over proxy for ssl (I use lighttpd) – Lilian Russo Dec 16 '21 at 14:04
  • I check in netstat : tcp 0 0 (null):9001 (null):* LISTEN 1107/mosquitto – Lilian Russo Dec 16 '21 at 14:04

1 Answers1

0

Remove the require_certificate true from the end of your mosquitto.conf file

This option says that the client must present a certificate to identify it's self, but it is VERY unlikely you have actually configured your browser with a client side certificate.

hardillb
  • 54,545
  • 11
  • 67
  • 105
  • I remove the line but I still have the main error (the mosquitto config file in my question has been updated too) – Lilian Russo Dec 16 '21 at 14:37
  • Then we need to see the logs for a failed connection. There is also probably a inital HTTP Upgrade request missing from the wireshark trace. – hardillb Dec 16 '21 at 14:38
  • Oh true ! There is no upgrade request in the header (my old ws configuration had one). How can I add it ? – Lilian Russo Dec 16 '21 at 14:41
  • You don't, the MQTT library (or actually the web browser) should do it as it's how WebSocket connections are bootstrapped. – hardillb Dec 16 '21 at 14:44
  • It's strange that my web app do the job and set a upgrade header request but not with wss.. I saw [this answer](https://stackoverflow.com/a/23404161) who's similar to mine, and my webapp run with angularJS, I wondering if I need to add a certificate in my websocket connection – Lilian Russo Dec 16 '21 at 14:55
  • I updated my question, now I now that tls is not enabled in mosquitto. I build it from source with the option WITH_TLS=yes, so I didn't know why he won't use tls.. – Lilian Russo Dec 17 '21 at 10:58
  • Mosquitto v1.4.14 is VERY VERY old, why are you building it yourself? Also this is most likely that the certificate in mosquitto doesn't have a matching SAN entry to the IP/DNS used to access it or the cert is not trusted by the browser. You will not a warning to accept broken certs with websockets like you do with https. – hardillb Dec 17 '21 at 11:14
  • I worked on a compilation environnement (like yocto), so I need to build all by myself (and for arm plateform). Sorry but what is the SAN entry ? – Lilian Russo Dec 17 '21 at 11:37