Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mosquitto_sub can't connect to IPv6 only hosts via TLS #376

Closed
Tho85 opened this issue Feb 10, 2017 · 3 comments
Closed

mosquitto_sub can't connect to IPv6 only hosts via TLS #376

Tho85 opened this issue Feb 10, 2017 · 3 comments
Labels
Status: Duplicate

Comments

@Tho85
Copy link

Tho85 commented Feb 10, 2017

mosquitto_sub can't connect to IPv6 only hosts via TLS.

Steps to reproduce

  • Compile clients from current master branch: 
    cd clients && make
  • Download CA certificate for test.mosquitto.org: 
    wget http:https://test.mosquitto.org/ssl/mosquitto.org.crt
  • Try to connect to a test topic 
    ./mosquitto_sub -h test6.mosquitto.org --cafile mosquitto.org.crt -p 8883 -t foo

Expected behavior

The client should connect and I should see a test message (e.g. "Hello world!").

Actual behavior

The client doesn't connect. An error occurs: Unable to connect (Lookup error.).

Further information

A wireshark dump shows that mosquitto_sub tries to resolve an IPv4 address for test6.mosquitto.org if called with the --cafile option, and both an IPv4 and an IPv6 address if called without --cafile:

# DNS queries for command ./mosquitto_sub -h test6.mosquitto.org --cafile mosquitto.org.crt -p 8883 -t foo
  1 0.000000000 10.0.0.42 -> 10.0.0.1 DNS 79 Standard query 0x58d7 A test6.mosquitto.org
  2 0.012074847 10.0.0.1 -> 10.0.0.42 DNS 137 Standard query response 0x58d7 A test6.mosquitto.org SOA ns1.atchoo.org

# DNS queries for command ./mosquitto_sub -h test6.mosquitto.org -t foo
  5 8.005033208 10.0.0.42 -> 10.0.0.1 DNS 79 Standard query 0x1626 A test6.mosquitto.org
  6 8.005049508 10.0.0.42 -> 10.0.0.1 DNS 79 Standard query 0x30eb AAAA test6.mosquitto.org
  7 8.007993095 10.0.0.1 -> 10.0.0.42 DNS 79 Standard query response 0x1626 A test6.mosquitto.org
  8 8.052904437 10.0.0.1 -> 10.0.0.42 DNS 107 Standard query response 0x30eb AAAA test6.mosquitto.org AAAA 2001:41d0:a:3a10::1

Environment

  • OS: Ubuntu 16.04
  • OpenSSL version (libssl-dev): 1.0.2g-1ubuntu4.6
@Tho85
Copy link
Author

Tho85 commented Feb 10, 2017

I narrowed it down to lib/net_mosq.c#L284-L288 which was introduced in 041f60c:

#ifdef WITH_TLS
	if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_psk){
		hints.ai_family = PF_INET;
	}else
#endif
	{
		hints.ai_family = PF_UNSPEC;
	}

If I remove the conditional and always set hints.ai_family = PF_UNSPEC; it works, but then some tests fail (namely the test 08-ssl-bridge.py). What is the correct solution for this?

@ralight
Copy link
Contributor

ralight commented Feb 10, 2017

Hi @Tho85, this is down to support for IPv6 being historically lacking in openssl. This has already been fixed in the fixes branch which should be released as version 1.4.11 real soon now.

@ralight
Copy link
Contributor

ralight commented Feb 11, 2017

This is the same code as in #323, although the subject is different. I'm hence marking this as a duplicate and closing it. Thanks for the good report anyway!

@ralight ralight closed this as completed Feb 11, 2017
@lock lock bot locked as resolved and limited conversation to collaborators Aug 8, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Status: Duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Tho85 @ralight