-
Notifications
You must be signed in to change notification settings - Fork 422
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS issue #448
TLS issue #448
Comments
Hi. How about trying these codes below. 😄
|
Hi @leeway1208 yes, I did this ;) I tried to connect with the following settings (this is working with MQTT.js for example) The connection fails in this test (with errSSLXCertChainInvalid = -9807, /* invalid certificate chain */) func settings(mqtt: CocoaMQTT) {
mqtt.enableSSL = true
mqtt.allowUntrustCACertificate = true
mqtt.username = "admin"
mqtt.password = "password"
mqtt.keepAlive = 60
mqtt.autoReconnect = false
}
func testConnect() {
let mqtt = CocoaMQTT(clientID: "some-id",
host: host,
port: 8883)
settings(mqtt: mqtt)
let caller = Caller()
mqtt.delegate = caller
if !mqtt.connect() {
XCTAssertTrue(false)
}
wait_for {
caller.isConnected
}
} However, the same test with WebSockets is working: func testConnectWSS() {
let websocket = CocoaMQTTWebSocket(uri: "/")
let mqtt = CocoaMQTT(clientID: "some-id",
host: host,
port: 443,
socket: websocket)
settings(mqtt: mqtt)
let caller = Caller()
mqtt.delegate = caller
if !mqtt.connect() {
XCTAssertTrue(false)
}
wait_for {
caller.isConnected
}
} SSL is handled completely different, the MQTT connection is using CocoaAsyncSocket and the WebSocket connection is using StarScream. |
😄 hi @philipparndt Can you give me your host? I will test the connection. I just tried the host (https://test.mosquitto.org/) which is ok. Thanks~ |
😄 the host is on my local network with docker. I'll look how I can host this temporary in the internet and come back to you. |
Hi @leeway1208 I have a server for you 😄 Try to connect to (no auth): mqtts://cocoamqtt.rnd7.de:8883 The websocket connection will work wit CocoaMQTT, the MQTT connection fails with When I do the same with another MQTT Client (MQTT.js) both connections will work. import * as mqtt from "mqtt"
const client = mqtt.connect("mqtts://cocoamqtt.rnd7.de:8883")
client.on("connect", () => {
console.log("connected")
client.subscribe("#", (err) => { console.log(err, "subscribed") })
client.subscribe("$SYS/#", (err) => { console.log(err, "subscribed") })
})
client.on("message", (topic, message) => { console.log(topic, message.toString()) }) |
@philipparndt Thanks~ I will test it some days. If I have some new ideas, I will share with you. |
@philipparndt I found that apple no longer supports TLS1.0 and TLS1.1. These versions have been deprecated on Apple platforms as of iOS 15, iPadOS 15, macOS 12, watchOS 8, and tvOS 15, and support will be removed in future releases. Do you use these versions? |
Hi @leeway1208 thank your ideas. I did some changes in the configuration and checked the connection with Wireshark. When the connection is done with the MQTT protocol, it uses the TLS1.2 Protocol with TLS version 1.2
after this, the client responds with
|
Another breadcrumb: When I try to connect from the iPhone simulator using Apples Network Framework, the TLS handshake is successful. Example code // Create an outbound connection
let connection = NWConnection(host: "cocoamqtt.rnd7.de", port: 8883, using: .tls)
connection.stateUpdateHandler = { (newState) in
print(newState)
}
connection.start(queue: DispatchQueue.global(qos: .userInitiated))
sleep(10) |
Hi @leeway1208 okay I have a working demonstrator with Apple Network, that can connect to the server with the MQTT protocol 😄 |
@philipparndt I try to solve the connection problems with GCDAsyncSocket. But I haven't found a solution yet. The function |
@philipparndt I downloaded four mqtt apps in the App Store, and they can't connect to the host(mqtts://cocoamqtt.rnd7.de) either. So I discussed this with my colleague and he provided some reference documents for us to see if there are any configuration issues. Enable SSL/TLS for EMQX MQTT broker (https://www.emqx.com/en/blog/emqx-server-ssl-tls-secure-connection-configuration-guide) Thanks |
Hi @leeway1208, What apps did you test? I don't think that it is a configuration issue. Maybe the configuration is not supported by
This setup is pretty common when using Kubernetes (ingress controller). I think this will get used more and more and should be fixed/improved. I have now exchanged
I will continue developing this branch and remove For your main branch I see the following options:
|
@philipparndt the testing app which I used below: If you have some new ideas. We can discuss more. |
MQTTAnalyzer is my App and is using CocoaMQTT 😉 I will come back to you when I have more. Currently, I implement connecting with client certificates. |
@philipparndt haha. I find a way to connect the host. I write the sslSettings like this:
🎆🎆🎆 |
I can confirm this is working 👍 |
Hi @leeway1208, I've implemented the changes on this branch: philipparndt#1 do you like to have a look at it? While testing it I good some luck and seen some data races that are already reported by other users. |
@philipparndt |
@leeway1208 |
@philipparndt Hi~~ Sorry, I can only start to work on this until May. But I can create a AppleNetwork branch for us first. haha |
Hi,
when using the MQTT protocol with TLS, there are some issues (with versions 2.x and 1.x.
LetsEncrypt certificates generated with Traefik are denied with
errSSLXCertChainInvalid = -9807, /* invalid certificate chain */
However, the same certificate works when connecting with WSS.
I did some debugging, and think the problem is somewhere in the CocoaAsyncSocket which comes with a lot of deprecated API calls. Did you already do some experiments with Apples network framework to get rid of the deprecated API and maybe of this issue?
This issue was originally reported here:
philipparndt/mqtt-analyzer#69
see philipparndt/mqtt-analyzer#69 (comment) for a comparison between MQTTS and WSS (MQTTAnalyzer is using CocoaMQTT)
The text was updated successfully, but these errors were encountered: