SSLV3警报带有蚊子经纪人并使用TLS证书的警报证书不良证书

发布于 2025-02-07 12:59:46 字数 3797 浏览 2 评论 0原文

我在RPI的蚊子经纪人中拥有带有RPI中自签名的CA签名的服务器TLS证书。我正在尝试使用带有以下命令的python脚本从鹦鹉虚拟盒计算机连接到该经纪人：

TLS_CERT_PATH = "/etc/mosquitto/ca.pem"
client_crt = "/etc/mosquitto/VM.pem"
client_key = "/etc/mosquitto/parrot.key"
client.tls_set(ca_certs=TLS_CERT_PATH, cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_TLSv1_2, ciphers=None)
client.tls_insecure_set(False)

并在Broker中出现以下错误：

sslv3警报不良证书

和虚拟机：

证书验证失败：IP地址不匹配

我不明白错误，因为如果我在虚拟机中运行以下操作，其中192.168.1.254是RPI的IP：

mosquitto_pub -h 192.168.1.254 -p 2259 --tls-version tlsv1.2 --cafile /etc/mosquitto/ca.crt --cert /etc/mosquitto/VM.crt --key /etc/mosquitto/parrot.key -t Injecction_moulding/pressure -q 0 -m trying

即使我正在使用，它也不会给我任何错误相同的证书文件。

我虽然这也许这与签署虚拟机的客户端证书的中间证书有关，但它是由经纪人使用的CA发行的。此外，我还添加了/etc/ssl/cert，我正在使用的证书，以防CA没有将其视为有效证书。

对错误有什么想法吗？感谢您的帮助，因为我已经花了两天的时间来解决。

我在经纪人证书中拥有的是：

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            37:4c:1f:f9:cd:80:c7:f4:82:82:04:69:15:5f:25:de:09:60:ae:b9
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = ES, ST = Galicia, L = Vigo, O = TFG, OU = TFG, CN = tfg, emailAddress = myemail
        Validity
            Not Before: May 25 17:26:29 2022 GMT
            Not After : Jul  9 17:26:29 2023 GMT
        Subject: C = UK, ST = Galicia, L = Pontevedra, O = Universidad de Vigo, OU = test, CN = 192.168.1.254, emailAddress = myemail
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b4:85:b7:9b:1e:70:51:9a:0e:af:99:08:26:6f:
                    55:8e:3a:99:ce:32:c6:8e:23:1b:d4:39:58:75:cc:
                    c7:9c:5f:3d:a9:f1:f8:85:db:91:9f:25:24:f1:e8:
                    89:4f:ea:7e:71:23:21:f5:c5:59:77:a6:07:77:53:
                    e0:9d:12:39:4b:67:b0:10:e0:61:07:d9:fc:fc:f6:
                    3c:c5:98:f0:70:dd:d1:93:a0:10:64:73:09:8c:63:
                    de:07:d4:8f:81:18:23:cf:67:60:d6:dd:97:6f:62:
                    14:ec:0b:20:63:0b:cf:54:ad:78:2d:4d:de:be:29:
                    01:c1:c1:0f:cb:86:40:e5:2f:0b:29:a3:89:62:03:
                    6f:f0:ce:b2:43:f6:60:7c:10:46:ea:fd:0e:b4:4b:
                    ba:64:29:dc:39:50:3d:96:cf:04:c0:43:fa:a6:f3:
                    bd:e1:da:37:df:19:70:a2:dc:d7:04:2e:2d:b8:27:
                    97:9c:a3:08:84:be:c6:cf:d6:b6:82:d3:eb:8f:98:
                    13:eb:39:8b:33:1e:98:72:24:c2:3d:cb:0c:06:3d:
                    6e:99:fd:a9:f9:02:25:c5:3d:30:76:58:da:33:fa:
                    6a:33:d1:31:79:15:09:d4:a0:15:df:f2:9a:b9:7e:
                    68:08:8f:01:73:b7:b5:ac:24:da:bc:0e:d3:0f:b8:
                    d4:bf
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         25:87:fd:af:41:5a:b2:65:fa:6f:95:12:7f:72:92:ed:ef:8d:
         1e:4d:e9:81:ca:75:47:17:a0:b0:0e:20:9e:3e:1a:bf:27:a1:
         2f:b4:1f:2b:03:fa:21:ad:2c:da:87:d1:c0:01:12:b4:a0:ce:
         29:2e:15:35:50:79:e1:84:3f:05:14:41:f7:e2:17:ee:3c:f7:
         6d:32:b7:89:b4:1f:86:e8:89:69:97:a5:33:f3:cd:b5:51:88:
         88:41:a5:95:e6:39:44:d4:16:c7:73:19:e1:c5:f1:5e:a7:b3:
         a6:d9:9b:16:25:60:6f:ca:3c:0f:1f:85:47:eb:34:24:ad:0b:
         74:bb:6b:6f:7a:f1:be:28:4a:fe:6b:55:4b:bd:40:d0:e3:fc:
         f4:b7:02:75:86:87:6e:65:f4:91:a4:07:0b:34:a2:f7:88:6a:
         3c:d2:67:85:e4:a2:29:5d:02:a3:72:9f:d7:7b:57:8b:c9:ed:
         f4:c9:17:00:5b:3d:bc:d4:65:b4:5f:30:12:e1:cb:e2:44:23:
         12:05:6f:d4:dd:15:be:56:55:99:d1:7c:f8:8f:34:4e:be:ca:
         35:c4:60:03:51:41:ce:98:9a:f4:52:76:b2:69:31:db:3c:1b:
         85:b2:04:0b:d8:3d

原文

I have in a Rpi a mosquitto broker with a server TLS certificate signed by a self-signed CA located in the Rpi. I am trying to connect to this broker from a Parrot virtualbox machine using a python script with the following commands:

TLS_CERT_PATH = "/etc/mosquitto/ca.pem"
client_crt = "/etc/mosquitto/VM.pem"
client_key = "/etc/mosquitto/parrot.key"
client.tls_set(ca_certs=TLS_CERT_PATH, cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_TLSv1_2, ciphers=None)
client.tls_insecure_set(False)

And the following error appears in the broker:

sslv3 alert bad certificate

And in the virtual machine:

certificate verify failed: IP address mismatch

I don't understand the error because if I run in the Virtual machine the following, where 192.168.1.254 is the IP of the Rpi:

mosquitto_pub -h 192.168.1.254 -p 2259 --tls-version tlsv1.2 --cafile /etc/mosquitto/ca.crt --cert /etc/mosquitto/VM.crt --key /etc/mosquitto/parrot.key -t Injecction_moulding/pressure -q 0 -m trying

It doesn't give me any error, even though I am using the same certificate files.

I though that maybe it was something related to an intermediate certificate signing my Virtual machine's client certificate, but it is issued by the same CA that the broker uses. Moreover, I have also added in /etc/ssl/certs, the certificates that I am using just in case the CA was not recognising them as valid certificates.

Any idea of the error? I would appreciate your help because I have spent two days with this and I'm kind of stuck.

What I have in the broker's certificate is:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            37:4c:1f:f9:cd:80:c7:f4:82:82:04:69:15:5f:25:de:09:60:ae:b9
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = ES, ST = Galicia, L = Vigo, O = TFG, OU = TFG, CN = tfg, emailAddress = myemail
        Validity
            Not Before: May 25 17:26:29 2022 GMT
            Not After : Jul  9 17:26:29 2023 GMT
        Subject: C = UK, ST = Galicia, L = Pontevedra, O = Universidad de Vigo, OU = test, CN = 192.168.1.254, emailAddress = myemail
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b4:85:b7:9b:1e:70:51:9a:0e:af:99:08:26:6f:
                    55:8e:3a:99:ce:32:c6:8e:23:1b:d4:39:58:75:cc:
                    c7:9c:5f:3d:a9:f1:f8:85:db:91:9f:25:24:f1:e8:
                    89:4f:ea:7e:71:23:21:f5:c5:59:77:a6:07:77:53:
                    e0:9d:12:39:4b:67:b0:10:e0:61:07:d9:fc:fc:f6:
                    3c:c5:98:f0:70:dd:d1:93:a0:10:64:73:09:8c:63:
                    de:07:d4:8f:81:18:23:cf:67:60:d6:dd:97:6f:62:
                    14:ec:0b:20:63:0b:cf:54:ad:78:2d:4d:de:be:29:
                    01:c1:c1:0f:cb:86:40:e5:2f:0b:29:a3:89:62:03:
                    6f:f0:ce:b2:43:f6:60:7c:10:46:ea:fd:0e:b4:4b:
                    ba:64:29:dc:39:50:3d:96:cf:04:c0:43:fa:a6:f3:
                    bd:e1:da:37:df:19:70:a2:dc:d7:04:2e:2d:b8:27:
                    97:9c:a3:08:84:be:c6:cf:d6:b6:82:d3:eb:8f:98:
                    13:eb:39:8b:33:1e:98:72:24:c2:3d:cb:0c:06:3d:
                    6e:99:fd:a9:f9:02:25:c5:3d:30:76:58:da:33:fa:
                    6a:33:d1:31:79:15:09:d4:a0:15:df:f2:9a:b9:7e:
                    68:08:8f:01:73:b7:b5:ac:24:da:bc:0e:d3:0f:b8:
                    d4:bf
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         25:87:fd:af:41:5a:b2:65:fa:6f:95:12:7f:72:92:ed:ef:8d:
         1e:4d:e9:81:ca:75:47:17:a0:b0:0e:20:9e:3e:1a:bf:27:a1:
         2f:b4:1f:2b:03:fa:21:ad:2c:da:87:d1:c0:01:12:b4:a0:ce:
         29:2e:15:35:50:79:e1:84:3f:05:14:41:f7:e2:17:ee:3c:f7:
         6d:32:b7:89:b4:1f:86:e8:89:69:97:a5:33:f3:cd:b5:51:88:
         88:41:a5:95:e6:39:44:d4:16:c7:73:19:e1:c5:f1:5e:a7:b3:
         a6:d9:9b:16:25:60:6f:ca:3c:0f:1f:85:47:eb:34:24:ad:0b:
         74:bb:6b:6f:7a:f1:be:28:4a:fe:6b:55:4b:bd:40:d0:e3:fc:
         f4:b7:02:75:86:87:6e:65:f4:91:a4:07:0b:34:a2:f7:88:6a:
         3c:d2:67:85:e4:a2:29:5d:02:a3:72:9f:d7:7b:57:8b:c9:ed:
         f4:c9:17:00:5b:3d:bc:d4:65:b4:5f:30:12:e1:cb:e2:44:23:
         12:05:6f:d4:dd:15:be:56:55:99:d1:7c:f8:8f:34:4e:be:ca:
         35:c4:60:03:51:41:ce:98:9a:f4:52:76:b2:69:31:db:3c:1b:
         85:b2:04:0b:d8:3d

分享到QQ

分享到微博