TLS connection to local Mosquitto stop working (mbedTLS error: -0x7780)

Filippo_Balestrini · September 15, 2021, 8:42am

Dear All,
Few days ago the TLS connection to my local Mosquitto MQTT broker stop working (mbedTLS error: -0x7780) and now all my Mongoose OS based devices are not connected anymore.

Did someone face the same issue? Do you have any idea or suggestion on how to investigate and fix the connection issue?

This is my WEMOS D1 Mini board yml configuration:

config_schema: 
  - ["mqtt.enable", true]
  - ["mqtt.user", "<my_username>"]
  - ["mqtt.pass", "<my_password>"]
  - ["mqtt.server", "<my_loacal_IP_address>:8883"]
  - ["mqtt.ssl_ca_cert", "ca.pem"]

This is the error log of my WEMOS D1 Mini board:

[Sep 15 08:54:05.996] mgos_mqtt_conn.c:471    MQTT0 connecting to 192.168.1.254:8883
[Sep 15 08:54:06.020] mongoose.c:4912         0x3fff1574 is a fatal alert message (msg 40)
[Sep 15 08:54:06.025] mongoose.c:4912         0x3fff1574 mbedtls_ssl_handle_message_type() returned -30592 (-0x7780)
[Sep 15 08:54:06.034] mongoose.c:4912         0x3fff1574 mbedtls_ssl_read_record() returned -30592 (-0x7780)
[Sep 15 08:54:06.040] mongoose.c:5088         0x3fff1574 mbedTLS error: -0x7780
[Sep 15 08:54:06.050] mgos_mqtt_conn.c:229    MQTT0 TCP connect error (-3)
[Sep 15 08:54:06.050] mgos_mqtt_conn.c:256    MQTT0 Disconnect

This is the error log of my local Mosquitto MQTT broker:

1631689879: New connection from 192.168.1.15 on port 8883.
1631689879: OpenSSL Error[0]: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
1631689879: Socket error on client <unknown>, disconnecting.

I would like to fix this as soon as possible because my home-automation based on Mongoose OS is now completely broken.

I thank you in advance for the support.

nliviu · September 15, 2021, 1:31pm

Can you connect with mosquitto_pub or mosquitto_sub?

scaprile · September 15, 2021, 2:39pm

In addition to Liviu’s recommendation (which is a must), you should sniff your network with Wireshark (for example) and see if TCP connection establishes, then if and why TLS handhshake establishes or fails, and check your mosquitto installation for possible upgrades and unsupported encryption schemes. These microcontroller based embedded systems usually can only handle a reduced subset of ECDH-based algorithms.

Dmitry_Gavrovsky · October 6, 2021, 8:35am

Possibly you used letsencrypt provided certificates. I’ve heard that few days ago some of it’s intermediate certificates expired. I was pushed to regenerate certificates myself and now having similar issue: “The certificate is not correctly signed by the trusted CA”, however bunch of tasmota powered devices are able to successfuly connect and work properly. As well and one of my esp-idf devices.

nliviu · October 6, 2021, 6:41pm

Letsencrypt root certificate has expired.

Dmitry_Gavrovsky · October 11, 2021, 9:00am

I can’t get it to work. Everyone except mongoose os powered devices working perfectly, but on mongoose os i’m constantly getting:

[Oct 11 11:59:11.868] mongoose.c:4912         0x3fff6ddc ciphersuite: TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
[Oct 11 11:59:12.459] mongoose.c:4912         0x3fff6ddc x509_verify_cert returned -9984
[Oct 11 11:59:12.465] mongoose.c:4912         0x3fff6ddc   The certificate is not correctly signed by the trusted CA

I used exactly same CA certificate i used on other devices. Please help!

scaprile · October 11, 2021, 5:47pm

That is a mbedTLS error, it is not being able to validate the certificate signature, and since you generated your certificate, you should try a different ciphersuite. That very same message is usually followed by other a bit more specific on the particulars of the problem.
Long ago I’ve had a similar problem with SHA-1 signed certificates. Use SHA-256 instead.
Are you using mutual authentication ?
Since your problem is not the same as the OP, I suggest you open a new thread