MQT: TLS connection error: 0 on Sonoff

[Deltamir]

PROBLEM DESCRIPTION

While following this documentation : https://tasmota.github.io/docs/Self-signed-Mosquitto/
This doc is very precise and useful, and I managed to go through without major hiccups.
Most of the errors I got were on my end, understandable through error codes and I corrected them (ex : typo on fingerprint, error while copying CA, etc). But then I ended up with a MQT: TLS connection error: 0 that I could not resolve.
I believe it's an error on the firmware ends because I got another mqtt client to connect without issues.
I tried with differents configurations as listed bellow.
I ran an sslscan to ensure the server was listening with the proper ciphersuite (ECDHE-RSA-AES128-GCM-SHA256) and TLS (1.2) versions as specified here : https://tasmota.github.io/docs/TLS/#limitations
I'm not sure but maybe the absence of error code is an issue in itself ?

REQUESTED INFORMATION

Make sure your have performed every step and checked the applicable boxes before submitting your issue. Thank you!

• Read the Contributing Guide and Policy and the Code of Conduct
• Searched the problem in issues
• Searched the problem in discussions
• Searched the problem in the docs
• Searched the problem in the chat
• Device used (e.g., Sonoff Basic): Sonoff Basic R2 v1.3 and Sonoff TH16 v2.1
• Tasmota binary firmware version number used: I tried with current master (v9.4.0) and current developpement branch (commit d3874e9)
  • Pre-compiled
  • Self-compiled
• Flashing tools used: Tasmotizer 1.2
• Provide the output of command: Backlog Template; Module; GPIO 255:

  Configuration output here:
18:57:11.087 CMD: Backlog Template; Module; GPIO 255
18:57:11.152 RSL: RESULT = {"NAME":"Generic","GPIO":[1,1,1,1,1,1,1,1,1,1,1,1,1,1],"FLAG":0,"BASE":18}
18:57:11.358 RSL: RESULT = {"Module":{"4":"Sonoff TH"}}
18:57:11.563 RSL: RESULT = {"GPIO0":{"32":"Button1"},"GPIO1":{"0":"None"},"GPIO2":{"0":"None"},"GPIO3":{"0":"None"},"GPIO4":{"0":"None"},"GPIO5":{"0":"None"},"GPIO9":{"0":"None"},"GPIO10":{"0":"None"},"GPIO12":{"224":"Relay1"},"GPIO13":{"320":"Led_i1"},"GPIO14":{"0":"None"},"GPIO15":{"0":"None"},"GPIO16":{"0":"None"},"GPIO17":{"0":"None"}}

• If using rules, provide the output of this command: Backlog Rule1; Rule2; Rule3:

  Rules output here:

• Provide the output of this command: Status 0:

  STATUS 0 output here:
19:02:03.031 CMD: Group 0, Index 1, Command "STATUS", Data "0"
19:02:03.038 RSL: STATUS = {"Status":{"Module":4,"DeviceName":"Tasmota","FriendlyName":["Tasmota"],"Topic":"tasmota_052451","ButtonTopic":"0","Power":0,"PowerOnState":3,"LedState":1,"LedMask":"FFFF","SaveData":1,"SaveState":1,"SwitchTopic":"0","SwitchMode":[0,0,0,0,0,0,0,0],"ButtonRetain":0,"SwitchRetain":0,"SensorRetain":0,"PowerRetain":0,"InfoRetain":0,"StateRetain":0}}
19:02:03.065 RSL: STATUS1 = {"StatusPRM":{"Baudrate":115200,"SerialConfig":"8N1","GroupTopic":"tasmotas","OtaUrl":"http://ota.tasmota.com/tasmota/release/tasmota.bin.gz","RestartReason":"Power On","Uptime":"0T00:05:32","StartupUTC":"2021-05-11T17:56:31","Sleep":50,"CfgHolder":4617,"BootCount":3,"BCResetTime":"2021-05-11T12:34:49","SaveCount":8,"SaveAddress":"F4000"}}
19:02:03.097 RSL: STATUS2 = {"StatusFWR":{"Version":"9.4.0.3(tasmota)","BuildDateTime":"2021-05-11T13:28:55","Boot":31,"Core":"2_7_4_9","SDK":"2.2.2-dev(38a443e)","CpuFrequency":80,"Hardware":"ESP8266EX","CR":"404/699"}}
19:02:03.116 RSL: STATUS3 = {"StatusLOG":{"SerialLog":2,"WebLog":4,"MqttLog":0,"SysLog":0,"LogHost":"","LogPort":514,"SSId":["Livebox-XXXX",""],"TelePeriod":300,"Resolution":"558180C0","SetOption":["00008009","2805C8000100060000005A0A000000000000","00000080","00206000","00000000"]}}
19:02:03.146 RSL: STATUS4 = {"StatusMEM":{"ProgramSize":656,"Free":344,"Heap":20,"ProgramFlashSize":1024,"FlashSize":1024,"FlashChipId":"146085","FlashFrequency":40,"FlashMode":3,"Features":["00000809","8FDAC7C7","04368001","000000CF","010013C0","C000F981","00004004","00001000","00000020"],"Drivers":"1,2,3,4,5,6,7,8,9,10,12,16,18,19,20,21,22,24,26,27,29,30,35,37,45","Sensors":"1,2,3,4,5,6"}}
19:02:03.176 RSL: STATUS5 = {"StatusNET":{"Hostname":"tasmota_052451-1105","IPAddress":"192.168.1.37","Gateway":"192.168.1.1","Subnetmask":"255.255.255.0","DNSServer":"192.168.1.1","Mac":"C8:2B:96:05:24:51","Webserver":2,"WifiConfig":4,"WifiPower":17.0}}
19:02:03.199 RSL: STATUS6 = {"StatusMQT":{"MqttHost":"mqtt.home","MqttPort":8883,"MqttClientMask":"DVES_%06X","MqttClient":"DVES_052451","MqttUser":"MQTT_USER","MqttCount":0,"MAX_PACKET_SIZE":1200,"KEEPALIVE":30,"SOCKET_TIMEOUT":4}}
19:02:03.222 RSL: STATUS7 = {"StatusTIM":{"UTC":"2021-05-11T18:02:03","Local":"2021-05-11T19:02:03","StartDST":"2021-03-28T02:00:00","EndDST":"2021-10-31T03:00:00","Timezone":"+01:00","Sunrise":"05:13","Sunset":"20:19"}}
19:02:03.240 RSL: STATUS10 = {"StatusSNS":{"Time":"2021-05-11T19:02:03"}}
19:02:03.247 RSL: STATUS11 = {"StatusSTS":{"Time":"2021-05-11T19:02:03","Uptime":"0T00:05:32","UptimeSec":332,"Heap":20,"SleepMode":"Dynamic","Sleep":50,"LoadAvg":19,"MqttCount":0,"POWER":"OFF","Wifi":{"AP":1,"SSId":"Livebox-XXXX","BSSId":"48:29:52:77:5D:B0","Channel":1,"RSSI":92,"Signal":-54,"LinkCount":1,"Downtime":"0T00:00:03"}}}

• Set weblog to 4 and then, when you experience your issue, provide the output of the Console log:

  Tasmota console output here:
19:02:54.008 MQT: TLS connection error: 0
19:02:54.011 MQT: Connect failed to mqtt.home:8883, rc 5. Retry in 90 sec

  MQTT brocker console output here:
1620759285: New connection from 192.168.1.37 on port 8883.
1620759286: Socket error on client <unknown>, disconnecting.

TO REPRODUCE

I followed every step of this documentation with 3 different machines as advised :
https://tasmota.github.io/docs/Self-signed-Mosquitto/
I configured the extra steps for full CA validation but I tried with classic fingerprinting as well in order to troobleshoot but got the same issue.
The CA is working because I checked the server certificate with sslscan and I got another mqtt client working with TLS and client certificates.

Here is my user_config_override.h. I commented the lines to explain what tests I did to troobleshoot.

  user_config_override.h
#undef  STA_SSID1
#define STA_SSID1         "Livebox-XXXX" 

#undef  STA_PASS1
#define STA_PASS1         "secret"

#undef  MQTT_HOST
#define MQTT_HOST         "mqtt.home"

#ifndef USE_MQTT_TLS
#define USE_MQTT_TLS
#undef MQTT_TLS_ENABLED
#define MQTT_TLS_ENABLED true // I added thoses two options after ready this discussion https://github.com/arendst/Tasmota/discussions/11834 but that did not resolve the issue
#define USE_MQTT_TLS_CA_CERT // I tried with and without this option, I tried with fingerprinting as well with tasmota_fingerprint
#define USE_MQTT_AWS_IOT    // I tried with and without this line
#define USE_MQTT_TLS_FORCE_EC_CIPHER     // I tried with and without this line
#endif

#undef  MQTT_PORT
#define MQTT_PORT         8883

#undef  MQTT_USER
#define MQTT_USER         "MQTT_USER"

#undef  MQTT_PASS
#define MQTT_PASS         "secret"

I used home assistant mosquitto add-on as a broker with custom configuration in order to follow what's indicated in the documentation. (I disabled the integrated TLS configuration in order for mosquitto to use the custom one, and I tried with another client and it work)
I tried to force TLS version and ciphersuite.
Here is an extract of my mosquitto configuration with comments

protocol mqtt
allow_anonymous false
listener 8883
socket_domain ipv4
# Certs and Keys
cafile /ssl/ca.crt
certfile /ssl/mqtt.home.crt
keyfile /ssl/mqtt.home.pem
require_certificate true
ciphers ECDHE-RSA-AES128-GCM-SHA256 // I tried with and without those two last line 
tls_version tlsv1.2

EXPECTED BEHAVIOUR

I expect Tasmota to join the MQTT Broker through TLS without faillure

SCREENSHOTS

N/A

ADDITIONAL CONTEXT

The issue probably happens after the TLS handshake because I can see the handshake failling between the startup of the sonoff and the time I run the TlsKey1 et TlsKey2 commands.
I can the that through Tasmota error code 296 and mosquitto error (SSL routines:tls_process_client_certificate:peer did not return a certificate)
The TLS connection error: 0 happens afterwards.

(Please, remember to close the issue when the problem has been addressed)

[s-hadinger]

Tls error 0 means that tls was successful. Your error is on the Mqtt layer, not on the TLS layer.

Error rc 5 means that Mqtt authentication failed. Check the user, password or device name

[Deltamir]

Thank for your answer !

I'm certain user and password are correct since I use a keepass and I just doublecheck it.
Could you explain what I should consider concerning the device name ?

[Deltamir]

I just tried with the same configuration but with TLS disabled and the connexion to the MQTT broker is working
Here is the user_config_override.h I tried :

  user_config_override.h
#undef  STA_SSID1
#define STA_SSID1         "Livebox-XXXX" 

#undef  STA_PASS1
#define STA_PASS1         "secret"

#undef  MQTT_HOST
#define MQTT_HOST         "mqtt.home"

//#ifndef USE_MQTT_TLS
//#define USE_MQTT_TLS
//#undef MQTT_TLS_ENABLED
//#define MQTT_TLS_ENABLED true
//#define USE_MQTT_TLS_CA_CERT
//#define USE_MQTT_AWS_IOT
//#define USE_MQTT_TLS_FORCE_EC_CIPHER
//#endif

#undef  MQTT_PORT
#define MQTT_PORT         1883

#undef  MQTT_USER
#define MQTT_USER         "MQTT_USER"

#undef  MQTT_PASS
#define MQTT_PASS         "secret"

[s-hadinger]

That's strange. Error codes are explicit. The error comes from the Mqtt layer. Do you have lower level logs on the Mqtt broker side?

[Deltamir]

I did some inspection on the MQTT layer, turns out that the Sonoff is sending the client certificat's CN as the user for MQTT.
I don't know if MQTT with mutual TLS always work that way or if it's something I enabled with my config, but whatever the MQTT_USER and MQTT_PASS I use, it's the client certificate that carry the authentication for the MQTT Layer.

So I added use_identity_as_username true in the mosquitto configuration to match this behavior on the server side and added the ACLs corresponding to the CN, and it works !
Maybe it would be worthwhile to add this info on the documentation ?

If I can make a side suggestion, maybe it could help troubleshooting to add the meaning of error code 0 according to the rc value in this table ? https://tasmota.github.io/docs/TLS/#tls-troubleshooting
I don't mind making a PR if needed, but I don't know theses values

[s-hadinger]

Oh yes, that was a long time ago and I don't use mutual TLS anymore. This is hardcoded and this is the way AWS IoT works. To change this you will need to send a Pull Request.

[ascillato2]

Moving to discussions as this has become a feature request.