Question posted in 
I am trying to build a simple broker + pubsub client using TLS. My broker is an eclipse-mosquitto container and i am using python for my clients. When i try to connect to my broker, i get this error :
Traceback (most recent call last):
File "/home/kali/mqtt-broker/scripts/sub.py", line 27, in <module>
client.connect( broker_address, 8883, 60 )
File "/home/kali/.local/lib/python3.11/site-packages/paho/mqtt/client.py", line 914, in connect
return self.reconnect()
^^^^^^^^^^^^^^^^
File "/home/kali/.local/lib/python3.11/site-packages/paho/mqtt/client.py", line 1073, in reconnect
sock.do_handshake()
File "/usr/lib/python3.11/ssl.py", line 1346, in do_handshake
self._sslobj.do_handshake()
ssl.SSLEOFError: [SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1002)
I really don’t understand it, and would like some clarifications. Here is my TLS setup :
My server certificate has 127.0.0.1 as it’s CN and SAN attribute :
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
15:ce:ad:41:31:00:24:44:ed:81:2c:c0:76:61:ac:b0:10:b3:a6:34
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = BE, ST = Belgium, L = SaintGilles, O = OT Lab, OU = IOT, CN = Sophiane
Validity
Not Before: Jan 15 15:05:48 2024 GMT
Not After : Jan 14 15:05:48 2025 GMT
Subject: C = BE, ST = Belgium, L = Saint-Gilles, O = Internet Widgits Pty Ltd, CN = 127.0.0.1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:86:01:42:b3:51:30:ed:e3:00:5f:45:b6:b6:aa:
b3:5e:93:17:f7:de:03:c1:ea:51:e2:2c:0a:e9:77:
ab:f8:ea:2d:1c:a6:b5:48:61:1b:c2:02:d3:09:7c:
fb:c0:1a:7b:51:d7:85:cb:61:6f:46:35:24:a6:66:
ab:a6:3a:ac:bc:e3:f2:81:60:e9:1d:91:20:4e:b6:
2e:f9:e1:9b:1c:82:ac:a7:84:b7:64:80:d6:35:cf:
56:c4:e1:aa:ee:6f:91:e5:60:26:0d:fb:05:ac:f2:
9e:88:2a:eb:c5:19:e8:02:23:8a:e6:37:ed:ae:17:
22:96:65:3c:6e:b1:8f:04:6c:0e:6a:1d:13:8f:3d:
59:ae:d2:44:59:43:5a:fb:e1:c3:f1:5b:87:8f:4b:
0d:e9:99:b2:da:b3:0e:6a:30:8a:83:08:7d:99:b2:
37:4f:c1:12:e7:69:16:a3:f6:d1:92:6b:6d:c3:9a:
6d:c1:00:70:11:4a:0c:96:6f:74:32:75:2c:ac:12:
e9:15:d3:fa:16:cb:dc:6f:2f:14:88:dd:ec:81:b3:
7d:86:13:12:95:94:f9:42:14:b7:77:c1:b0:29:40:
25:00:d1:98:c9:0f:4e:a3:90:62:d7:b5:4f:3f:c0:
95:9f:91:77:75:ed:cf:a3:1a:0f:b9:71:99:d8:3c:
bb:7d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:127.0.0.1
X509v3 Subject Key Identifier:
59:0B:F4:7B:A2:0B:A0:54:9A:AA:2D:7C:FD:FE:1D:96:AC:23:C2:C1
X509v3 Authority Key Identifier:
BF:05:1E:B8:B6:36:62:31:97:5B:6E:A6:CB:07:FC:09:46:E5:5E:EB
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
33:01:ed:4f:c0:2d:5d:0d:65:aa:27:11:d9:f5:38:6f:04:8d:
0b:d9:2e:b9:dd:93:35:cc:df:0d:65:a9:d9:ca:2e:4c:5c:f1:
a7:54:5d:ac:3d:7b:21:f8:ff:e3:db:18:92:78:08:8d:a4:81:
aa:52:5e:68:cd:06:93:74:a9:70:9f:a9:48:fd:58:13:b9:a6:
0f:fd:12:ea:e8:42:a1:13:40:e0:c9:91:75:6b:9f:fb:31:a9:
9e:40:ce:79:56:b7:f0:03:cc:a5:f5:33:8b:f5:46:85:d7:e7:
82:93:e1:cf:f2:28:bd:e7:95:78:68:b2:8f:dc:80:e3:7f:b4:
21:59:0f:e8:6e:e4:cb:a4:2a:df:c0:85:d5:45:da:bb:67:a8:
75:30:81:38:19:66:76:87:5b:db:25:c9:cf:56:b5:75:31:1d:
2c:bd:f0:dd:eb:9f:c2:2d:68:77:12:5c:24:c2:de:1d:1c:4a:
de:99:c7:61:83:f1:43:69:a9:8f:a0:97:ae:96:e7:e1:a7:87:
1d:94:bd:c3:30:7e:4d:1f:69:2a:ee:d9:ae:09:6b:f4:3d:5c:
5a:a9:05:6d:95:40:85:e2:51:4b:5f:76:93:5b:cc:e8:98:9e:
a9:2c:8c:7e:a8:3d:32:f3:24:0b:56:8b:68:0a:46:42:69:34:
17:fa:e8:0e
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgIUFc6tQTEAJETtgSzAdmGssBCzpjQwDQYJKoZIhvcNAQEL
BQAwZzELMAkGA1UEBhMCQkUxEDAOBgNVBAgMB0JlbGdpdW0xFDASBgNVBAcMC1Nh
aW50R2lsbGVzMQ8wDQYDVQQKDAZPVCBMYWIxDDAKBgNVBAsMA0lPVDERMA8GA1UE
AwwIU29waGlhbmUwHhcNMjQwMTE1MTUwNTQ4WhcNMjUwMTE0MTUwNTQ4WjBtMQsw
CQYDVQQGEwJCRTEQMA4GA1UECAwHQmVsZ2l1bTEVMBMGA1UEBwwMU2FpbnQtR2ls
bGVzMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMM
CTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIYBQrNR
MO3jAF9Ftraqs16TF/feA8HqUeIsCul3q/jqLRymtUhhG8IC0wl8+8Aae1HXhcth
b0Y1JKZmq6Y6rLzj8oFg6R2RIE62LvnhmxyCrKeEt2SA1jXPVsThqu5vkeVgJg37
Bazynogq68UZ6AIjiuY37a4XIpZlPG6xjwRsDmodE489Wa7SRFlDWvvhw/Fbh49L
DemZstqzDmowioMIfZmyN0/BEudpFqP20ZJrbcOabcEAcBFKDJZvdDJ1LKwS6RXT
+hbL3G8vFIjd7IGzfYYTEpWU+UIUt3fBsClAJQDRmMkPTqOQYte1Tz/AlZ+Rd3Xt
z6MaD7lxmdg8u30CAwEAAaNTMFEwDwYDVR0RBAgwBocEfwAAATAdBgNVHQ4EFgQU
WQv0e6ILoFSaqi18/f4dlqwjwsEwHwYDVR0jBBgwFoAUvwUeuLY2YjGXW26mywf8
CUblXuswDQYJKoZIhvcNAQELBQADggEBADMB7U/ALV0NZaonEdn1OG8EjQvZLrnd
kzXM3w1lqdnKLkxc8adUXaw9eyH4/+PbGJJ4CI2kgapSXmjNBpN0qXCfqUj9WBO5
pg/9EuroQqETQODJkXVrn/sxqZ5AznlWt/ADzKX1M4v1RoXX54KT4c/yKL3nlXho
so/cgON/tCFZD+hu5MukKt/AhdVF2rtnqHUwgTgZZnaHW9slyc9WtXUxHSy98N3r
n8ItaHcSXCTC3h0cSt6Zx2GD8UNpqY+gl66W5+Gnhx2UvcMwfk0faSru2a4Ja/Q9
XFqpBW2VQIXiUUtfdpNbzOiYnqksjH6oPTLzJAtWi2gKRkJpNBf66A4=
-----END CERTIFICATE-----
My client certificate has a different CN than my CA certificate
Here is my mosquitto.conf file :
persistence true
persistence_location /mosquitto/data/
log_dest file /mosquitto/log/mosquitto.log
allow_anonymous true
listener 8883 127.0.0.1
cafile /mosquitto/config/certs/ca.crt
certfile /mosquitto/config/certs/server.crt
keyfile /mosquitto/config/certs/server.key
tls_version tlsv1.2
and my docker-compose.yml file :
version: '3.5'
services:
mosquitto:
container_name: mos2-tls
image: eclipse-mosquitto:latest
volumes:
- ./config:/mosquitto/config/
ports:
- '8883:8883'
networks:
- default
restart: unless-stopped
networks:
default:
Here’s my config folder tree :
└─$ tree .
.
├── config
│ ├── certs
│ │ ├── ca.crt
│ │ ├── server.crt
│ │ └── server.key
│ └── mosquitto.conf
└── docker-compose.yml
And finally here is my python file that creates this error :
import paho.mqtt.client as mqtt
import ssl, time, inspect, os
broker_address="127.0.0.1"
topic="test"
ca_cert="/home/kali/certs/ca.crt"
client1_cert="/home/kali/certs/client.crt"
client1_key="/home/kali/certs/client.key"
def on_message(client, userdata, message):
print ("message received " , str(message.payload.decode("utf-8")))
print ("message topic=" , message.topic)
print ("message qos=" , message.qos)
print ("message retain flag=", message.retain)
print( "creating new instance" )
client = mqtt.Client( "mqttclient" )
print( "connecting to broker" )
client.tls_set(ca_cert,client1_cert,client1_key, tls_version=ssl.PROTOCOL_TLSv1_2)
client.tls_insecure_set(False)
client.connect( broker_address, 8883, 60 )
client.loop_start()
print( "Subscribing to topic", topic )
client.on_message=on_message
client.subscribe( topic )
for i in range( 1, 10 ):
print( "Publishing message to topic" , topic )
client.publish( topic, "Hello world from MQTT "+str(i) )
time.sleep( 1 )
client.loop_stop()
print( "Goodbye!" )
I looked online for common mistakes for this setup, and saw that Python looks for the SAN in the server certificate instead of the CN, but that didn’t work.
I also had the same CN for the CA and client certificate but that didn’t work either.
I followed some answer from stackoverflow and installed ndg-httpsclient, pyopenssl and pyasn1, but no success.
Always the same EOF error. I really am in the dark here, what should i do?
2
Answers
For anyone who has this issue. Make sure your mosquitto service starts correctly. I tried using the mosquitto -c command to see the logs, and it said that the mosquitto user did not have the permission to reach server.key.
Secondly, I changed every mention of the localhost IP address with my host IP instead, so remote devices could reach the docker (as Brits said). Meaning that I had to change the server.crt IP as well as removing the IP inside my mosquitto.conf.
This fixed my issue.
listener 8883 127.0.0.1as per the docs re listener:
So you are binding to the loopback interface. As you are running this under Docker the result is that Mosquitto will not be accessible outside of the container itself (the loopback interface in the container is not the same as the host loopback interface). See this answer for more info.
Changing this
listener 8883will allow connections (I’m not guaranteeing this is your only issue!).