Paho MQTT 发生“EOF 违反协议”

问题描述 投票:0回答:1

我正在尝试使用 TLS 构建一个简单的代理 + pubsub 客户端。我的经纪人是一个 eclipse-mosquitto 容器,我为我的客户使用 python。当我尝试连接到我的经纪人时,我收到此错误:

Traceback (most recent call last):
  File "/home/kali/mqtt-broker/scripts/sub.py", line 27, in <module>
    client.connect( broker_address, 8883, 60 )
  File "/home/kali/.local/lib/python3.11/site-packages/paho/mqtt/client.py", line 914, in connect
    return self.reconnect()
           ^^^^^^^^^^^^^^^^
  File "/home/kali/.local/lib/python3.11/site-packages/paho/mqtt/client.py", line 1073, in reconnect
    sock.do_handshake()
  File "/usr/lib/python3.11/ssl.py", line 1346, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLEOFError: [SSL: UNEXPECTED_EOF_WHILE_READING] EOF occurred in violation of protocol (_ssl.c:1002)

我真的不明白,希望得到一些澄清。这是我的 TLS 设置:

我的服务器证书有 127.0.0.1,因为它是 CN 和 SAN 属性:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            15:ce:ad:41:31:00:24:44:ed:81:2c:c0:76:61:ac:b0:10:b3:a6:34
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = BE, ST = Belgium, L = SaintGilles, O = OT Lab, OU = IOT, CN = Sophiane
        Validity
            Not Before: Jan 15 15:05:48 2024 GMT
            Not After : Jan 14 15:05:48 2025 GMT
        Subject: C = BE, ST = Belgium, L = Saint-Gilles, O = Internet Widgits Pty Ltd, CN = 127.0.0.1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:86:01:42:b3:51:30:ed:e3:00:5f:45:b6:b6:aa:
                    b3:5e:93:17:f7:de:03:c1:ea:51:e2:2c:0a:e9:77:
                    ab:f8:ea:2d:1c:a6:b5:48:61:1b:c2:02:d3:09:7c:
                    fb:c0:1a:7b:51:d7:85:cb:61:6f:46:35:24:a6:66:
                    ab:a6:3a:ac:bc:e3:f2:81:60:e9:1d:91:20:4e:b6:
                    2e:f9:e1:9b:1c:82:ac:a7:84:b7:64:80:d6:35:cf:
                    56:c4:e1:aa:ee:6f:91:e5:60:26:0d:fb:05:ac:f2:
                    9e:88:2a:eb:c5:19:e8:02:23:8a:e6:37:ed:ae:17:
                    22:96:65:3c:6e:b1:8f:04:6c:0e:6a:1d:13:8f:3d:
                    59:ae:d2:44:59:43:5a:fb:e1:c3:f1:5b:87:8f:4b:
                    0d:e9:99:b2:da:b3:0e:6a:30:8a:83:08:7d:99:b2:
                    37:4f:c1:12:e7:69:16:a3:f6:d1:92:6b:6d:c3:9a:
                    6d:c1:00:70:11:4a:0c:96:6f:74:32:75:2c:ac:12:
                    e9:15:d3:fa:16:cb:dc:6f:2f:14:88:dd:ec:81:b3:
                    7d:86:13:12:95:94:f9:42:14:b7:77:c1:b0:29:40:
                    25:00:d1:98:c9:0f:4e:a3:90:62:d7:b5:4f:3f:c0:
                    95:9f:91:77:75:ed:cf:a3:1a:0f:b9:71:99:d8:3c:
                    bb:7d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                IP Address:127.0.0.1
            X509v3 Subject Key Identifier:
                59:0B:F4:7B:A2:0B:A0:54:9A:AA:2D:7C:FD:FE:1D:96:AC:23:C2:C1
            X509v3 Authority Key Identifier:
                BF:05:1E:B8:B6:36:62:31:97:5B:6E:A6:CB:07:FC:09:46:E5:5E:EB
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        33:01:ed:4f:c0:2d:5d:0d:65:aa:27:11:d9:f5:38:6f:04:8d:
        0b:d9:2e:b9:dd:93:35:cc:df:0d:65:a9:d9:ca:2e:4c:5c:f1:
        a7:54:5d:ac:3d:7b:21:f8:ff:e3:db:18:92:78:08:8d:a4:81:
        aa:52:5e:68:cd:06:93:74:a9:70:9f:a9:48:fd:58:13:b9:a6:
        0f:fd:12:ea:e8:42:a1:13:40:e0:c9:91:75:6b:9f:fb:31:a9:
        9e:40:ce:79:56:b7:f0:03:cc:a5:f5:33:8b:f5:46:85:d7:e7:
        82:93:e1:cf:f2:28:bd:e7:95:78:68:b2:8f:dc:80:e3:7f:b4:
        21:59:0f:e8:6e:e4:cb:a4:2a:df:c0:85:d5:45:da:bb:67:a8:
        75:30:81:38:19:66:76:87:5b:db:25:c9:cf:56:b5:75:31:1d:
        2c:bd:f0:dd:eb:9f:c2:2d:68:77:12:5c:24:c2:de:1d:1c:4a:
        de:99:c7:61:83:f1:43:69:a9:8f:a0:97:ae:96:e7:e1:a7:87:
        1d:94:bd:c3:30:7e:4d:1f:69:2a:ee:d9:ae:09:6b:f4:3d:5c:
        5a:a9:05:6d:95:40:85:e2:51:4b:5f:76:93:5b:cc:e8:98:9e:
        a9:2c:8c:7e:a8:3d:32:f3:24:0b:56:8b:68:0a:46:42:69:34:
        17:fa:e8:0e
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgIUFc6tQTEAJETtgSzAdmGssBCzpjQwDQYJKoZIhvcNAQEL
BQAwZzELMAkGA1UEBhMCQkUxEDAOBgNVBAgMB0JlbGdpdW0xFDASBgNVBAcMC1Nh
aW50R2lsbGVzMQ8wDQYDVQQKDAZPVCBMYWIxDDAKBgNVBAsMA0lPVDERMA8GA1UE
AwwIU29waGlhbmUwHhcNMjQwMTE1MTUwNTQ4WhcNMjUwMTE0MTUwNTQ4WjBtMQsw
CQYDVQQGEwJCRTEQMA4GA1UECAwHQmVsZ2l1bTEVMBMGA1UEBwwMU2FpbnQtR2ls
bGVzMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMM
CTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIYBQrNR
MO3jAF9Ftraqs16TF/feA8HqUeIsCul3q/jqLRymtUhhG8IC0wl8+8Aae1HXhcth
b0Y1JKZmq6Y6rLzj8oFg6R2RIE62LvnhmxyCrKeEt2SA1jXPVsThqu5vkeVgJg37
Bazynogq68UZ6AIjiuY37a4XIpZlPG6xjwRsDmodE489Wa7SRFlDWvvhw/Fbh49L
DemZstqzDmowioMIfZmyN0/BEudpFqP20ZJrbcOabcEAcBFKDJZvdDJ1LKwS6RXT
+hbL3G8vFIjd7IGzfYYTEpWU+UIUt3fBsClAJQDRmMkPTqOQYte1Tz/AlZ+Rd3Xt
z6MaD7lxmdg8u30CAwEAAaNTMFEwDwYDVR0RBAgwBocEfwAAATAdBgNVHQ4EFgQU
WQv0e6ILoFSaqi18/f4dlqwjwsEwHwYDVR0jBBgwFoAUvwUeuLY2YjGXW26mywf8
CUblXuswDQYJKoZIhvcNAQELBQADggEBADMB7U/ALV0NZaonEdn1OG8EjQvZLrnd
kzXM3w1lqdnKLkxc8adUXaw9eyH4/+PbGJJ4CI2kgapSXmjNBpN0qXCfqUj9WBO5
pg/9EuroQqETQODJkXVrn/sxqZ5AznlWt/ADzKX1M4v1RoXX54KT4c/yKL3nlXho
so/cgON/tCFZD+hu5MukKt/AhdVF2rtnqHUwgTgZZnaHW9slyc9WtXUxHSy98N3r
n8ItaHcSXCTC3h0cSt6Zx2GD8UNpqY+gl66W5+Gnhx2UvcMwfk0faSru2a4Ja/Q9
XFqpBW2VQIXiUUtfdpNbzOiYnqksjH6oPTLzJAtWi2gKRkJpNBf66A4=
-----END CERTIFICATE-----

我的客户端证书的 CN 与我的 CA 证书不同

这是我的 mosquitto.conf 文件:

persistence true
persistence_location /mosquitto/data/
log_dest file /mosquitto/log/mosquitto.log
allow_anonymous true
listener 8883 127.0.0.1

cafile /mosquitto/config/certs/ca.crt
certfile /mosquitto/config/certs/server.crt
keyfile /mosquitto/config/certs/server.key
tls_version tlsv1.2

和我的 docker-compose.yml 文件:

version: '3.5'

services:
  mosquitto:
    container_name: mos2-tls
    image: eclipse-mosquitto:latest
    volumes:
      - ./config:/mosquitto/config/
    ports:
      - '8883:8883'
    networks:
      - default
    restart: unless-stopped

networks:
  default:

这是我的配置文件夹树:

└─$ tree .
.
├── config
│   ├── certs
│   │   ├── ca.crt
│   │   ├── server.crt
│   │   └── server.key
│   └── mosquitto.conf
└── docker-compose.yml

最后这是我的 python 文件,它创建了这个错误:

import paho.mqtt.client as mqtt
import ssl, time, inspect, os

broker_address="127.0.0.1"
topic="test"

ca_cert="/home/kali/certs/ca.crt"
client1_cert="/home/kali/certs/client.crt"
client1_key="/home/kali/certs/client.key"

def on_message(client, userdata, message):
    print ("message received "   , str(message.payload.decode("utf-8")))
    print ("message topic="      , message.topic)
    print ("message qos="        , message.qos)
    print ("message retain flag=", message.retain)


print( "creating new instance" )
client = mqtt.Client( "mqttclient" )

print( "connecting to broker" )
client.tls_set(ca_cert,client1_cert,client1_key, tls_version=ssl.PROTOCOL_TLSv1_2)
client.tls_insecure_set(False)



client.connect( broker_address, 8883, 60 )



client.loop_start()

print( "Subscribing to topic", topic )
client.on_message=on_message
client.subscribe( topic )

for i in range( 1, 10 ):
    print( "Publishing message to topic" , topic )
    client.publish( topic, "Hello world from MQTT "+str(i) )
    time.sleep( 1 )

client.loop_stop()

print( "Goodbye!" )

我在网上查找了此设置的常见错误,发现 Python 在服务器证书中查找 SAN 而不是 CN,但这不起作用。

我的 CA 和客户端证书也有相同的 CN,但这也不起作用。

我按照 stackoverflow 的一些答案安装了 ndg-httpsclient、pyopenssl 和 pyasn1,但没有成功。

始终出现相同的 EOF 错误。我真的是一头雾水,我该怎么办?

python docker ssl mqtt paho
1个回答
0
投票

listener 8883 127.0.0.1

根据文档重新监听

第二个可选参数允许将侦听器绑定到特定的 IP 地址/主机名。

因此您正在绑定到环回接口。当您在 Docker 下运行它时,结果是 Mosquitto 在容器本身之外无法访问(容器中的环回接口与主机环回接口不同)。请参阅此答案了解更多信息。

更改此

listener 8883
将允许连接(我不保证这是您唯一的问题!)。

© www.soinside.com 2019 - 2024. All rights reserved.