MQTT5-TLS 自签名证书,通过mqttx连接成功,java中使用相同证书失败。

EMQX 错误报告
1

环境

  • EMQX 版本:5.3.2
  • 操作系统版本:window10

重现此问题的步骤

1.openssl生成证书命令
set OPENSSL_CONF=openssl.cnf
set DAY_LENGTH=3650
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 -days %DAY_LENGTH% -out ca.crt -extensions v3_ca
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -config %OPENSSL_CONF%
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days %DAY_LENGTH% -sha256 -extfile %OPENSSL_CONF% -extensions req_ext
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -config %OPENSSL_CONF%
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days %DAY_LENGTH% -sha256 -extfile %OPENSSL_CONF% -extensions req_ext
opnessl.cnf配置文件
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = req_distinguished_name
req_extensions = req_ext

[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = ShangHai
localityName = ShangHai
organizationName = zhuodao
commonName = zhuodao
CN = 192.168.1.21

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
IP.1 = 192.168.1.21

[ v3_ca ]
subjectAltName = @alt_names
basicConstraints = CA:TRUE
keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign

  1. emqx-ssl配置

    image
    image942×948 29.9 KB

  2. mqttx测试

    image
    image1529×946 27.9 KB

    mqttx测试结果
    image
    image1570×552 9.86 KB

    4.java代码
    image
    image1214×665 64.9 KB

    SSLUtils代码
    image
    image1075×861 104 KB

    代码运行结果
    Exception in thread “main” java.lang.RuntimeException: Untranslated MqttException - RC: 0 (0) - java.net.SocketException: Software caused connection abort: socket write error
    at org.example.mqttV5SSL.main(mqttV5SSL.java:56)
    Caused by: Untranslated MqttException - RC: 0 (0) - java.net.SocketException: Software caused connection abort: socket write error
    mqtt服务器日志
    In state certify at ssl_handshake.erl:2109 generated SERVER ALERT: Fatal - Bad Certificate
    supervisor: {esockd_connection_sup,<0.5959.0>}, errorContext: ssl_error, reason: {tls_alert,{bad_certificate,“TLS server: In state certify at ssl_handshake.erl:2109 generated SERVER ALERT: Fatal - Bad Certificate\n”}}, offender: [{pid,<0.5959.0>},{name,connection},{mfargs,{emqx_connection,start_link,[#{enable_authn => true,limiter => undefined,listener => {ssl,ssl2},zone => default}]}}]

预期行为

实际行为

2

抱歉 Java 代码不是很熟悉。方便将整个 TLS 握手过程抓包看看么?

从 EMQX 的日志来看,很有可能是客户端提供的证书不太对。你可以把 EMQX 监听器的 “验证客户端证书” 先关了,对比测下看看

3

已经解决了,证书问题