我正在尝试使用 TLS 构建一个简单的代理 + pubsub 客户端。我的经纪人是一个 eclipse-mosquitto 容器,我为我的客户使用 python。当我尝试连接到我的经纪人时,我收到此错误:
Traceback (most recent call last):
File "/home/kali/mqtt-broker/scripts/sub.py", line 27, in <module>
client.connect( broker_address, 8883, 60 )
File "/home/kali/.local/lib/python3.11/site-packages/paho/mqtt/client.py", line 914, in connect
return self.reconnect()
^^^^^^^^^^^^^^^^
File "/home/kali/.local/lib/python3.11/site-packages/paho/mqtt/client.py", line 1073, in reconnect
sock.do_handshake()
File "/usr/lib/python3.11/ssl.py", line 1346, in do_handshake
self._sslobj.do_handshake()
ssl.SSLEOFError: [SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1002)
我真的不明白,希望得到一些澄清。这是我的 TLS 设置:
我的服务器证书有 127.0.0.1,因为它是 CN 和 SAN 属性:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
15:ce:ad:41:31:00:24:44:ed:81:2c:c0:76:61:ac:b0:10:b3:a6:34
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = BE, ST = Belgium, L = SaintGilles, O = OT Lab, OU = IOT, CN = Sophiane
Validity
Not Before: Jan 15 15:05:48 2024 GMT
Not After : Jan 14 15:05:48 2025 GMT
Subject: C = BE, ST = Belgium, L = Saint-Gilles, O = Internet Widgits Pty Ltd, CN = 127.0.0.1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:86:01:42:b3:51:30:ed:e3:00:5f:45:b6:b6:aa:
b3:5e:93:17:f7:de:03:c1:ea:51:e2:2c:0a:e9:77:
ab:f8:ea:2d:1c:a6:b5:48:61:1b:c2:02:d3:09:7c:
fb:c0:1a:7b:51:d7:85:cb:61:6f:46:35:24:a6:66:
ab:a6:3a:ac:bc:e3:f2:81:60:e9:1d:91:20:4e:b6:
2e:f9:e1:9b:1c:82:ac:a7:84:b7:64:80:d6:35:cf:
56:c4:e1:aa:ee:6f:91:e5:60:26:0d:fb:05:ac:f2:
9e:88:2a:eb:c5:19:e8:02:23:8a:e6:37:ed:ae:17:
22:96:65:3c:6e:b1:8f:04:6c:0e:6a:1d:13:8f:3d:
59:ae:d2:44:59:43:5a:fb:e1:c3:f1:5b:87:8f:4b:
0d:e9:99:b2:da:b3:0e:6a:30:8a:83:08:7d:99:b2:
37:4f:c1:12:e7:69:16:a3:f6:d1:92:6b:6d:c3:9a:
6d:c1:00:70:11:4a:0c:96:6f:74:32:75:2c:ac:12:
e9:15:d3:fa:16:cb:dc:6f:2f:14:88:dd:ec:81:b3:
7d:86:13:12:95:94:f9:42:14:b7:77:c1:b0:29:40:
25:00:d1:98:c9:0f:4e:a3:90:62:d7:b5:4f:3f:c0:
95:9f:91:77:75:ed:cf:a3:1a:0f:b9:71:99:d8:3c:
bb:7d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:127.0.0.1
X509v3 Subject Key Identifier:
59:0B:F4:7B:A2:0B:A0:54:9A:AA:2D:7C:FD:FE:1D:96:AC:23:C2:C1
X509v3 Authority Key Identifier:
BF:05:1E:B8:B6:36:62:31:97:5B:6E:A6:CB:07:FC:09:46:E5:5E:EB
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
33:01:ed:4f:c0:2d:5d:0d:65:aa:27:11:d9:f5:38:6f:04:8d:
0b:d9:2e:b9:dd:93:35:cc:df:0d:65:a9:d9:ca:2e:4c:5c:f1:
a7:54:5d:ac:3d:7b:21:f8:ff:e3:db:18:92:78:08:8d:a4:81:
aa:52:5e:68:cd:06:93:74:a9:70:9f:a9:48:fd:58:13:b9:a6:
0f:fd:12:ea:e8:42:a1:13:40:e0:c9:91:75:6b:9f:fb:31:a9:
9e:40:ce:79:56:b7:f0:03:cc:a5:f5:33:8b:f5:46:85:d7:e7:
82:93:e1:cf:f2:28:bd:e7:95:78:68:b2:8f:dc:80:e3:7f:b4:
21:59:0f:e8:6e:e4:cb:a4:2a:df:c0:85:d5:45:da:bb:67:a8:
75:30:81:38:19:66:76:87:5b:db:25:c9:cf:56:b5:75:31:1d:
2c:bd:f0:dd:eb:9f:c2:2d:68:77:12:5c:24:c2:de:1d:1c:4a:
de:99:c7:61:83:f1:43:69:a9:8f:a0:97:ae:96:e7:e1:a7:87:
1d:94:bd:c3:30:7e:4d:1f:69:2a:ee:d9:ae:09:6b:f4:3d:5c:
5a:a9:05:6d:95:40:85:e2:51:4b:5f:76:93:5b:cc:e8:98:9e:
a9:2c:8c:7e:a8:3d:32:f3:24:0b:56:8b:68:0a:46:42:69:34:
17:fa:e8:0e
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgIUFc6tQTEAJETtgSzAdmGssBCzpjQwDQYJKoZIhvcNAQEL
BQAwZzELMAkGA1UEBhMCQkUxEDAOBgNVBAgMB0JlbGdpdW0xFDASBgNVBAcMC1Nh
aW50R2lsbGVzMQ8wDQYDVQQKDAZPVCBMYWIxDDAKBgNVBAsMA0lPVDERMA8GA1UE
AwwIU29waGlhbmUwHhcNMjQwMTE1MTUwNTQ4WhcNMjUwMTE0MTUwNTQ4WjBtMQsw
CQYDVQQGEwJCRTEQMA4GA1UECAwHQmVsZ2l1bTEVMBMGA1UEBwwMU2FpbnQtR2ls
bGVzMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMM
CTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIYBQrNR
MO3jAF9Ftraqs16TF/feA8HqUeIsCul3q/jqLRymtUhhG8IC0wl8+8Aae1HXhcth
b0Y1JKZmq6Y6rLzj8oFg6R2RIE62LvnhmxyCrKeEt2SA1jXPVsThqu5vkeVgJg37
Bazynogq68UZ6AIjiuY37a4XIpZlPG6xjwRsDmodE489Wa7SRFlDWvvhw/Fbh49L
DemZstqzDmowioMIfZmyN0/BEudpFqP20ZJrbcOabcEAcBFKDJZvdDJ1LKwS6RXT
+hbL3G8vFIjd7IGzfYYTEpWU+UIUt3fBsClAJQDRmMkPTqOQYte1Tz/AlZ+Rd3Xt
z6MaD7lxmdg8u30CAwEAAaNTMFEwDwYDVR0RBAgwBocEfwAAATAdBgNVHQ4EFgQU
WQv0e6ILoFSaqi18/f4dlqwjwsEwHwYDVR0jBBgwFoAUvwUeuLY2YjGXW26mywf8
CUblXuswDQYJKoZIhvcNAQELBQADggEBADMB7U/ALV0NZaonEdn1OG8EjQvZLrnd
kzXM3w1lqdnKLkxc8adUXaw9eyH4/+PbGJJ4CI2kgapSXmjNBpN0qXCfqUj9WBO5
pg/9EuroQqETQODJkXVrn/sxqZ5AznlWt/ADzKX1M4v1RoXX54KT4c/yKL3nlXho
so/cgON/tCFZD+hu5MukKt/AhdVF2rtnqHUwgTgZZnaHW9slyc9WtXUxHSy98N3r
n8ItaHcSXCTC3h0cSt6Zx2GD8UNpqY+gl66W5+Gnhx2UvcMwfk0faSru2a4Ja/Q9
XFqpBW2VQIXiUUtfdpNbzOiYnqksjH6oPTLzJAtWi2gKRkJpNBf66A4=
-----END CERTIFICATE-----
我的客户端证书的 CN 与我的 CA 证书不同
这是我的 mosquitto.conf 文件:
persistence true
persistence_location /mosquitto/data/
log_dest file /mosquitto/log/mosquitto.log
allow_anonymous true
listener 8883 127.0.0.1
cafile /mosquitto/config/certs/ca.crt
certfile /mosquitto/config/certs/server.crt
keyfile /mosquitto/config/certs/server.key
tls_version tlsv1.2
和我的 docker-compose.yml 文件:
version: '3.5'
services:
mosquitto:
container_name: mos2-tls
image: eclipse-mosquitto:latest
volumes:
- ./config:/mosquitto/config/
ports:
- '8883:8883'
networks:
- default
restart: unless-stopped
networks:
default:
这是我的配置文件夹树:
└─$ tree .
.
├── config
│ ├── certs
│ │ ├── ca.crt
│ │ ├── server.crt
│ │ └── server.key
│ └── mosquitto.conf
└── docker-compose.yml
最后这是我的 python 文件,它创建了这个错误:
import paho.mqtt.client as mqtt
import ssl, time, inspect, os
broker_address="127.0.0.1"
topic="test"
ca_cert="/home/kali/certs/ca.crt"
client1_cert="/home/kali/certs/client.crt"
client1_key="/home/kali/certs/client.key"
def on_message(client, userdata, message):
print ("message received " , str(message.payload.decode("utf-8")))
print ("message topic=" , message.topic)
print ("message qos=" , message.qos)
print ("message retain flag=", message.retain)
print( "creating new instance" )
client = mqtt.Client( "mqttclient" )
print( "connecting to broker" )
client.tls_set(ca_cert,client1_cert,client1_key, tls_version=ssl.PROTOCOL_TLSv1_2)
client.tls_insecure_set(False)
client.connect( broker_address, 8883, 60 )
client.loop_start()
print( "Subscribing to topic", topic )
client.on_message=on_message
client.subscribe( topic )
for i in range( 1, 10 ):
print( "Publishing message to topic" , topic )
client.publish( topic, "Hello world from MQTT "+str(i) )
time.sleep( 1 )
client.loop_stop()
print( "Goodbye!" )
我在网上查找了此设置的常见错误,发现 Python 在服务器证书中查找 SAN 而不是 CN,但这不起作用。
我的 CA 和客户端证书也有相同的 CN,但这也不起作用。
我按照 stackoverflow 的一些答案安装了 ndg-httpsclient、pyopenssl 和 pyasn1,但没有成功。
始终出现相同的 EOF 错误。我真的是一头雾水,我该怎么办?