【IoT】SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
2016-11-01 15:13
966 查看
错误提示
在安装并部署mosquitto时, 使用了ssl安全通信机制, 结果在client与broker之间连接时出现了如下错误:
历史步骤
首先/etc/mosquitto/mosquitto.conf中是这么配置(其中证书/公钥/密钥的生成过程参考自: http://dataguild.org/?p=6866):
在订阅端提示Error: A TLS error occurred. 后断开连接并退出; 而在服务一端则提示了如题所说的peer did not return a certificate.
解决方法
后来检查了一下配置文件中的require_certificate参数, 读了对应的说明:
大意是指如果将require_certificate设置为true后, 服务端将会要求客户端在请求连接时提供可信任的证书。而上面mosquitto_sub命令只带了代理证书公钥, 问题可能出在这里,因此我尝试注释require_certificate参数, 即默认值为false。重新运行后, pub/sub都正常。
安全强度升级(设备身份认证)
上述问题解决。不过这只是实现了数据通信的加密, 如果要做到同时验证客户端的合法身份, 那就需要给客户端设备创建对应的证书。
1)首先设置require_certificate=true,然后重启代理服务。
2)同时通过已有CA签发设备证书:
在安装并部署mosquitto时, 使用了ssl安全通信机制, 结果在client与broker之间连接时出现了如下错误:
SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
历史步骤
首先/etc/mosquitto/mosquitto.conf中是这么配置(其中证书/公钥/密钥的生成过程参考自: http://dataguild.org/?p=6866):
listener 8883 pid_file /var/run/mosquitto.pid persistence true persistence_location /var/lib/mosquitto/ log_dest file /var/log/mosquitto.log cafile /etc/mosquitto/tls/ca.crt certfile /etc/mosquitto/tls/server.crt keyfile /etc/mosquitto/tls/server.key require_certificate true然后启动服务:
# mosquitto -c /etc/mosquitto/mosquitto.conf接着另起窗口启动订阅客户端:
# mosquitto_sub -h 203.195.201.191 -p 8883 -t 'topic' --cafile /etc/mosquitto/tls2/ca.crt Error: A TLS error occurred.
在订阅端提示Error: A TLS error occurred. 后断开连接并退出; 而在服务一端则提示了如题所说的peer did not return a certificate.
解决方法
后来检查了一下配置文件中的require_certificate参数, 读了对应的说明:
# By default a TLS enabled listener will operate in a similar fashion to a # https enabled web server, in that the server has a certificate signed by a CA # and the client will verify that it is a trusted certificate. The overall aim # is encryption of the network traffic. By setting require_certificate to true, # the client must provide a valid certificate in order for the network # connection to proceed. This allows access to the broker to be controlled # outside of the mechanisms provided by MQTT.
大意是指如果将require_certificate设置为true后, 服务端将会要求客户端在请求连接时提供可信任的证书。而上面mosquitto_sub命令只带了代理证书公钥, 问题可能出在这里,因此我尝试注释require_certificate参数, 即默认值为false。重新运行后, pub/sub都正常。
安全强度升级(设备身份认证)
上述问题解决。不过这只是实现了数据通信的加密, 如果要做到同时验证客户端的合法身份, 那就需要给客户端设备创建对应的证书。
1)首先设置require_certificate=true,然后重启代理服务。
2)同时通过已有CA签发设备证书:
openssl genrsa -des3 -out client.key 2048 openssl req -out client.csr -key client.key -new openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3653)当pub/sub客户端拿到证书后, 便可以正常发起请求:
mosquitto_sub -h your_host -p 8883 -t 'test' --cafile ca.crt --cert client.crt --key client.key mosquitto_pub -h your_host -p 8883 -t 'test' -m 'hello' --cafile ca.crt --cert client.crt --key client.key这样便可以在身份认证后, 进行TLS加密通信了。
相关文章推荐
- freeradius 错误: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate
- https应用:避免HttpClient的”javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated”异常
- “SSL peer certificate or SSH remote key was not OK”的分析和解决
- curl_easy_perform fail. ErrorCode=51, ErrorMessage=SSL peer certificate was not ok解决办法
- “SSL peer certificate or SSH remote key was not OK”的分析和解决
- HttpClient的”javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated”异常
- https应用:避免HttpClient的”javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated”异常
- SSL peer certificate or SSH remote key was not OK
- android 5.0 SSL Socket exception javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
- gpus_ReturnNotPermittedKillClient crash
- 安卓接sdk时javax.net.ssl.SSLPeerUnverifiedException: No peer certificate的问题
- 使用pip install 时出现[Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ce,,
- 微信公众号curl: (60) SSL certificate problem: unable to get local issuer certificate 错误
- OpenSSL::SSL::SSLError: hostname was not match with the server certificate
- SSL certificate problem: unable to get local issuer certificate 解决方法
- Android javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
- query did not return a unique result: 275
- 使用git clone出现SSL routines:SSL3_GET_SERVER_CERTIFICATE错误的一种解决办法
- 使用git clone出现SSL routines:SSL3_GET_SERVER_CERTIFICATE错误的一种解决办法
- Https SSL Knowledge & how to get a self-signed certificate on ubuntu.