[SOLVED][MQTT-TLS] [Particle Electron] SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

Hello all,

I'm trying to use MQTT-TLS with my Particle Electron. I've set up the mosquitto broker on a ubuntu machine and created the certificates using openssl (the SSL certificates are not verified). It is working fine with my raspberry pi and ESP32(using pubsubclient library) but for almost 2 weeks can't manage to get it work on the Electron and currently have no idea what I'm getting wrong so I'm turning out to the community

I'm seeing the below error from the broker log

1538818268: New connection from xxx.xx.xxx.xxx on port 8883.
1538818268: OpenSSL Error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
1538818268: Socket error on client , disconnecting.
1538818286: Client connection from xxx.xx.xxx.xxx failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol.

My source code is as below

#include "MQTT-TLS.h"

void callback(char* topic, byte* payload, unsigned int length);


#define LET_ENCRYPT_CA_PEM                                              \
"-----BEGIN CERTIFICATE-----\n" \
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxV\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n"\
"-----END CERTIFICATE-----"


#define clientId  "myId"
#define username  "myName"
#define password  "myPass"

const char letencryptCaPem[] = LET_ENCRYPT_CA_PEM;


/**
 * if want to use IP address,
 * byte server[] = { XXX,XXX,XXX,XXX };
 * MQTT client(server, 1883, callback);
 * want to use domain name,
 * MQTT client("www.sample.com", 1883, callback);
 * iot.eclipse.org is Eclipse Open MQTT Broker: https://iot.eclipse.org/getting-started
 **/
//MQTT client("iot.eclipse.org", 8883, callback);
byte server[] = { yyy,y,yyy,yyy };
MQTT client(server, 8883, callback);

// recieve message
void callback(char* topic, byte* payload, unsigned int length) {
    char p[length + 1];
    memcpy(p, payload, length);
    p[length] = NULL;
    String message(p);
    
    Serial.print("Received : ");
    Serial.println(message);

    delay(1000);
}

#define ONE_DAY_MILLIS (24 * 60 * 60 * 1000)
unsigned long lastSync = millis();
void setup() {
    if (millis() - lastSync > ONE_DAY_MILLIS) {
        Particle.syncTime();
        lastSync = millis();
    }

    // enable tls. set Root CA pem file.
    // if you don't use TLS, comment out this line.
    client.enableTls(letencryptCaPem, sizeof(letencryptCaPem));
    Serial.println("tls enable");

    // connect to the server
    //connect(const char *id, const char *user, const char *pass)
    //client.connect("sparkclient");
    Serial.println("MQTT connecting ...");

    /* connect now */
    client.connect(clientId, username, password);

    // publish/subscribe
    if (client.isConnected()) {
        Serial.println("client connected");
        client.publish("topic", "hello world");
    }
}

void loop() {
    
    if (client.isConnected()) {
        Serial.println("MQTT Connected!");
        client.loop();
    }
    else {
        /* connect now */
        Serial.println("MQTT connecting ...");
        client.connect(clientId, username, password);
    }
        
    delay(200);
}

The mosquitto.conf file is set as follows

pid_file /var/run/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/

log_dest file /var/log/mosquitto/mosquitto.log

include_dir /etc/mosquitto/conf.d

tls_version tlsv1.1
listener 8883
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key

allow_anonymous false
password_file /etc/mosquitto/passwd

The firmware version on the device is 0.7.0.

Thank you in advance!

Hi @damonzon
Now this TLS library is implements following ciphers list for the reduce the application size/memory of the library.
TLS_RSA_WITH_AES_[256|128]_GCM_SHA[256|384]
and SHA1 key exchange could use.

to resolve for problem I have two answers.

• change your self signed certificates cipher list on your mosquitto for MQTT-TLS library cipher list.
  or
• change cipher list on MQTT-TLS source code. you could find ciphers and implements algorithm in src/mbedtls/config.h. change the cipher/algorithm and build your application with modified library.

thank you.

Hello @hirotakaster ,

thanks for the answer! Indeed it was an issue with the cipher. At first I tried to modify the library within Particle workbench but I had compilation errors (particle compiler can’t compile mbedtls since its in c) so it was troublesome to get the dev environment (maybe there is an easier way to do so), I fixed the issue by creating new certificates using aes256. The previous ones were generated using des.

Thanks again for the answer and your great library

hi i have a similar problem because i cannot compiler the code using the library due to the mbedtls library. How can I overpass this issue?

Hi, please use&compile the latest version on VScode.
Compiling on the WebIDE is not recommended.

ya i was refering to the impossibility to compile in VS code.