[SOLVED][MQTT-TLS] [Particle Electron] SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

Hello all,

I’m trying to use MQTT-TLS with my Particle Electron. I’ve set up the mosquitto broker on a ubuntu machine and created the certificates using openssl (the SSL certificates are not verified). It is working fine with my raspberry pi and ESP32(using pubsubclient library) but for almost 2 weeks can’t manage to get it work on the Electron and currently have no idea what I’m getting wrong so I’m turning out to the community :slight_smile:

I’m seeing the below error from the broker log

1538818268: New connection from xxx.xx.xxx.xxx on port 8883.
1538818268: OpenSSL Error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
1538818268: Socket error on client , disconnecting.
1538818286: Client connection from xxx.xx.xxx.xxx failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol.

My source code is as below

#include "MQTT-TLS.h"

void callback(char* topic, byte* payload, unsigned int length);


#define LET_ENCRYPT_CA_PEM                                              \
"-----BEGIN CERTIFICATE-----\n" \
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxV\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"-----END CERTIFICATE-----"


#define clientId  "myId"
#define username  "myName"
#define password  "myPass"

const char letencryptCaPem[] = LET_ENCRYPT_CA_PEM;


/**
 * if want to use IP address,
 * byte server[] = { XXX,XXX,XXX,XXX };
 * MQTT client(server, 1883, callback);
 * want to use domain name,
 * MQTT client("www.sample.com", 1883, callback);
 * iot.eclipse.org is Eclipse Open MQTT Broker: https://iot.eclipse.org/getting-started
 **/
//MQTT client("iot.eclipse.org", 8883, callback);
byte server[] = { yyy,y,yyy,yyy };
MQTT client(server, 8883, callback);

// recieve message
void callback(char* topic, byte* payload, unsigned int length) {
    char p[length + 1];
    memcpy(p, payload, length);
    p[length] = NULL;
    String message(p);
    
    Serial.print("Received : ");
    Serial.println(message);

    delay(1000);
}

#define ONE_DAY_MILLIS (24 * 60 * 60 * 1000)
unsigned long lastSync = millis();
void setup() {
    if (millis() - lastSync > ONE_DAY_MILLIS) {
        Particle.syncTime();
        lastSync = millis();
    }

    // enable tls. set Root CA pem file.
    // if you don't use TLS, comment out this line.
    client.enableTls(letencryptCaPem, sizeof(letencryptCaPem));
    Serial.println("tls enable");

    // connect to the server
    //connect(const char *id, const char *user, const char *pass)
    //client.connect("sparkclient");
    Serial.println("MQTT connecting ...");

    /* connect now */
    client.connect(clientId, username, password);

    // publish/subscribe
    if (client.isConnected()) {
        Serial.println("client connected");
        client.publish("topic", "hello world");
    }
}

void loop() {
    
    if (client.isConnected()) {
        Serial.println("MQTT Connected!");
        client.loop();
    }
    else {
        /* connect now */
        Serial.println("MQTT connecting ...");
        client.connect(clientId, username, password);
    }
        
    delay(200);
}

The mosquitto.conf file is set as follows

pid_file /var/run/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/

log_dest file /var/log/mosquitto/mosquitto.log

include_dir /etc/mosquitto/conf.d

tls_version tlsv1.1
listener 8883
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key

allow_anonymous false
password_file /etc/mosquitto/passwd

The firmware version on the device is 0.7.0.

Thank you in advance!

Hi @damonzon
Now this TLS library is implements following ciphers list for the reduce the application size/memory of the library.
TLS_RSA_WITH_AES_[256|128]_GCM_SHA[256|384]
and SHA1 key exchange could use.

to resolve for problem I have two answers.

  • change your self signed certificates cipher list on your mosquitto for MQTT-TLS library cipher list.
    or
  • change cipher list on MQTT-TLS source code. you could find ciphers and implements algorithm in src/mbedtls/config.h. change the cipher/algorithm and build your application with modified library.

thank you.

Hello @hirotakaster ,

thanks for the answer! Indeed it was an issue with the cipher. At first I tried to modify the library within Particle workbench but I had compilation errors (particle compiler can’t compile mbedtls since its in c) so it was troublesome to get the dev environment (maybe there is an easier way to do so), I fixed the issue by creating new certificates using aes256. The previous ones were generated using des.

Thanks again for the answer and your great library :slight_smile:

1 Like