Dear All,
Few days ago the TLS connection to my local Mosquitto MQTT broker stop working (mbedTLS error: -0x7780) and now all my Mongoose OS based devices are not connected anymore.
Did someone face the same issue? Do you have any idea or suggestion on how to investigate and fix the connection issue?
This is the error log of my local Mosquitto MQTT broker:
1631689879: New connection from 192.168.1.15 on port 8883.
1631689879: OpenSSL Error[0]: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
1631689879: Socket error on client <unknown>, disconnecting.
I would like to fix this as soon as possible because my home-automation based on Mongoose OS is now completely broken.
In addition to Liviu’s recommendation (which is a must), you should sniff your network with Wireshark (for example) and see if TCP connection establishes, then if and why TLS handhshake establishes or fails, and check your mosquitto installation for possible upgrades and unsupported encryption schemes. These microcontroller based embedded systems usually can only handle a reduced subset of ECDH-based algorithms.
Possibly you used letsencrypt provided certificates. I’ve heard that few days ago some of it’s intermediate certificates expired. I was pushed to regenerate certificates myself and now having similar issue: “The certificate is not correctly signed by the trusted CA”, however bunch of tasmota powered devices are able to successfuly connect and work properly. As well and one of my esp-idf devices.
I can’t get it to work. Everyone except mongoose os powered devices working perfectly, but on mongoose os i’m constantly getting:
[Oct 11 11:59:11.868] mongoose.c:4912 0x3fff6ddc ciphersuite: TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
[Oct 11 11:59:12.459] mongoose.c:4912 0x3fff6ddc x509_verify_cert returned -9984
[Oct 11 11:59:12.465] mongoose.c:4912 0x3fff6ddc The certificate is not correctly signed by the trusted CA
I used exactly same CA certificate i used on other devices. Please help!
That is a mbedTLS error, it is not being able to validate the certificate signature, and since you generated your certificate, you should try a different ciphersuite. That very same message is usually followed by other a bit more specific on the particulars of the problem.
Long ago I’ve had a similar problem with SHA-1 signed certificates. Use SHA-256 instead.
Are you using mutual authentication ?
Since your problem is not the same as the OP, I suggest you open a new thread