MQTT TLS connection

Question

I would like to connect a test MQTT-Client to my Node.js application as a MQTT-Broker. I am using the aedes library from moscajs

My MQTT-Client is the tool "MQTT-Explorer" and here is my Node.js application:

const fs = require('fs');
const aedes = require('aedes')();

const options = {
  key: fs.readFileSync('certs/server_key.pem'),
  cert: fs.readFileSync('certs/server_cert.pem'),
};

// const server = require('net').createServer(aedes.handle);
const server = require('tls').createServer(options, aedes.handle);

const PORT = 8881;

server.listen(PORT, () => {
  console.log(`server is up and running: PORT [${PORT}] - ID [${aedes.id}]`);
});

I can connect without any problems to PORT=1881 with const server = require('net').createServer(aedes.handle) and I also can connect to PORT=8881 with const server = require('tls').createServer(options, aedes.handle)

With the Tool xca-2.4.0.msi XCA 2.4.0 I have created a ca.pem CERTIFICATE File and a CERTIFICATE server_cert.pem and a server_key.pem PRIVATE KEY (signed from ca.pem) as a Server. The key for CA and the Server are different:

For my MQTT-Client, under ADVANCED, CERTIFICATES, SERVER CERTIFICAT (CA) I selected the ca.pem File. If I select "Encryption", it works. But if select "validate certificate", error: Hostname/IP does not match certificate's altnames: IP: 127.0.0.1 is not in the certs list

Unfortunately I don't know what I'm doing wrong, thanks in advance :(

Answer 1

MQTT Explorer is built using Node.js and the MQTT library MQTT.js. As per this issue:

Node.js requires the IP address to be in the subjectAltNames for the cert and not in the CN. Maybe MQTT.fx isn't requiring that, but it should.

and:

If your server's certificate says CN=localhost in the Subject field, connect using localhost and not 127.0.0.1 and it should work. If it says CN=127.0.0.1, you have to make a new one because Node.js won't validate the IP address unless it's in the SAN extension. There is a way to work around it in code (I think it's an option called checkServerIdentity), but I would prefer to fix my certificate if I had this problem.

A rationale for the approach taken in Node is set out in this answer which includes the following quote from RFC2818: HTTP Over TLS :

In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

As you are using MQTT over TLS (as opposed to HTTP Over TLS) you could argue that the above does not apply but, given that the main use of the TLS library is for HTTP traffic, it makes sense that it confirms to the RFC by default.

You have a few options including:

• Use a hostname (e.g. localhost) rather then an IP when creating the certificate/connecting.
• Add the IP as a subjectAltName
• Modify the library to use a noop checkServerIdentity (see this answer).
• Use another application for testing (not really recommended as some applications will work and others will not). The issue quoted above mentions that MQTT.fx works.