【IoT】SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

错误提示

在安装并部署mosquitto时, 使用了ssl安全通信机制, 结果在client与broker之间连接时出现了如下错误:

SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

历史步骤

首先/etc/mosquitto/mosquitto.conf中是这么配置(其中证书/公钥/密钥的生成过程参考自: http://dataguild.org/?p=6866):

listener 8883pid_file /var/run/mosquitto.pidpersistence truepersistence_location /var/lib/mosquitto/log_dest file /var/log/mosquitto.logcafile /etc/mosquitto/tls/ca.crtcertfile /etc/mosquitto/tls/server.crtkeyfile /etc/mosquitto/tls/server.keyrequire_certificate true

然后启动服务:

# mosquitto -c /etc/mosquitto/mosquitto.conf

接着另起窗口启动订阅客户端:

# mosquitto_sub -h 203.195.201.191 -p 8883 -t 'topic' --cafile /etc/mosquitto/tls2/ca.crtError: A TLS error occurred.

在订阅端提示Error: A TLS error occurred.  后断开连接并退出; 而在服务一端则提示了如题所说的peer did not return a certificate.

解决方法

后来检查了一下配置文件中的require_certificate参数， 读了对应的说明:

# By default a TLS enabled listener will operate in a similar fashion to a# https enabled web server, in that the server has a certificate signed by a CA# and the client will verify that it is a trusted certificate. The overall aim# is encryption of the network traffic. By setting require_certificate to true,# the client must provide a valid certificate in order for the network# connection to proceed. This allows access to the broker to be controlled# outside of the mechanisms provided by MQTT.

大意是指如果将require_certificate设置为true后, 服务端将会要求客户端在请求连接时提供可信任的证书。而上面mosquitto_sub命令只带了代理证书公钥, 问题可能出在这里，因此我尝试注释require_certificate参数， 即默认值为false。重新运行后, pub/sub都正常。

安全强度升级(设备身份认证)

上述问题解决。不过这只是实现了数据通信的加密， 如果要做到同时验证客户端的合法身份， 那就需要给客户端设备创建对应的证书。

1)首先设置require_certificate=true，然后重启代理服务。

2)同时通过已有CA签发设备证书:

openssl genrsa -des3 -out client.key 2048openssl req -out client.csr -key client.key -newopenssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365

3)当pub/sub客户端拿到证书后,  便可以正常发起请求:

mosquitto_sub -h your_host -p 8883 -t 'test' --cafile ca.crt --cert client.crt --key client.keymosquitto_pub -h your_host -p 8883 -t 'test' -m 'hello' --cafile ca.crt --cert client.crt --key client.key

这样便可以在身份认证后， 进行TLS加密通信了。