【IoT】SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
来源:互联网 发布:php面试题及答案宝典 编辑:程序博客网 时间:2024/06/05 19:35
错误提示
在安装并部署mosquitto时, 使用了ssl安全通信机制, 结果在client与broker之间连接时出现了如下错误:
SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
历史步骤
首先/etc/mosquitto/mosquitto.conf中是这么配置(其中证书/公钥/密钥的生成过程参考自: http://dataguild.org/?p=6866):
listener 8883pid_file /var/run/mosquitto.pidpersistence truepersistence_location /var/lib/mosquitto/log_dest file /var/log/mosquitto.logcafile /etc/mosquitto/tls/ca.crtcertfile /etc/mosquitto/tls/server.crtkeyfile /etc/mosquitto/tls/server.keyrequire_certificate true然后启动服务:
# mosquitto -c /etc/mosquitto/mosquitto.conf接着另起窗口启动订阅客户端:
# mosquitto_sub -h 203.195.201.191 -p 8883 -t 'topic' --cafile /etc/mosquitto/tls2/ca.crtError: A TLS error occurred.
在订阅端提示Error: A TLS error occurred. 后断开连接并退出; 而在服务一端则提示了如题所说的peer did not return a certificate.
解决方法
后来检查了一下配置文件中的require_certificate参数, 读了对应的说明:
# By default a TLS enabled listener will operate in a similar fashion to a# https enabled web server, in that the server has a certificate signed by a CA# and the client will verify that it is a trusted certificate. The overall aim# is encryption of the network traffic. By setting require_certificate to true,# the client must provide a valid certificate in order for the network# connection to proceed. This allows access to the broker to be controlled# outside of the mechanisms provided by MQTT.
大意是指如果将require_certificate设置为true后, 服务端将会要求客户端在请求连接时提供可信任的证书。而上面mosquitto_sub命令只带了代理证书公钥, 问题可能出在这里,因此我尝试注释require_certificate参数, 即默认值为false。重新运行后, pub/sub都正常。
安全强度升级(设备身份认证)
上述问题解决。不过这只是实现了数据通信的加密, 如果要做到同时验证客户端的合法身份, 那就需要给客户端设备创建对应的证书。
1)首先设置require_certificate=true,然后重启代理服务。
2)同时通过已有CA签发设备证书:
openssl genrsa -des3 -out client.key 2048openssl req -out client.csr -key client.key -newopenssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3653)当pub/sub客户端拿到证书后, 便可以正常发起请求:
mosquitto_sub -h your_host -p 8883 -t 'test' --cafile ca.crt --cert client.crt --key client.keymosquitto_pub -h your_host -p 8883 -t 'test' -m 'hello' --cafile ca.crt --cert client.crt --key client.key这样便可以在身份认证后, 进行TLS加密通信了。
1 0
- 【IoT】SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
- query did not return a unique result
- The provider did not return a ProviderManifestToken string
- MySQL CodeFirst "The provider did not return a ProviderManifestToken string."
- NonUniqueResultException: query did not return a unique result: 2
- SQLServerException: The statement did not return a result set
- query did not return a unique result: 2
- query did not return a unique result: 275
- query did not return a unique result: 3 错误
- The provider did not return a ProviderManifestToken string. 的解决方法
- query did not return a unique result (直译:查询没有返回一个唯一的结果)
- org.hibernate.NonUniqueResultException: query did not return a unique result: 3
- org.hibernate.NonUniqueResultException: query did not return a unique result: 2
- but did not return a nonzero exit code to indicate failure
- org.hibernate.NonUniqueResultException: query did not return a unique result: 2
- copypng emitted errors but did not return a nonzero exit code to错误
- hadoop 2.2.0版本 'protoc --version' did not return a version ->
- SQL Server set nocount on 与JDBC: The statement did not return a result
- Chrome插件开发入门(二)——消息传递机制 转http://ju.outofmemory.cn/entry/74567
- 利用VS2008生成数据库连接字串
- Linux下Keepalived 安装与配置
- Python多线程学习
- Axure8.0基础教程(51-56)新手必须掌握的基础操作
- 【IoT】SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
- windows下强制杀死一个进程
- SEO月入破万的难点是什么?说说9.10月份月入破万的经历
- [转] c++11 线程:让你的多线程任务更轻松
- Intellij Idea spring boot 报错记录
- http协议
- if exists 的else不执行问题
- 使用系统默认的dialogue如何更改标题和分割线的颜色
- Axure8.0基础教程(41-50)新手必须掌握的基础操作