VerneMQ bridge to Mosquitto broker with TLS 1.3 fails with error:0A00010B:SSL routines::wrong version number

arthur · July 30, 2024, 11:19pm

I’m trying to create a bridge from a VerneMQ 2.0.1 (debian package) to a Mosquitto 2.0.11 broker running on port 8883 with TLSv1.3 enabled. MQTT-Explorer, Home Assistant and other MQTT clients can connect to the Mosquitto broker. Unfortunately VerneMQ won’t connect.

While the log files of VerneMQ don’t show anything related, the Mosquitto server logs Client connection from myIp failed: error:0A00010B:SSL routines::wrong version number..
curl -v https://mydomain:8883 and openssl s_client -connect mydomain:8883 show that the server runs tlsv1.3.

I’ve modified the bridges ssl entry to vmq_bridge.ssl.sbr0.tls_version = tlsv1.3 to no avail. The cafile-option for the bridge is set as well. Just for completeness I’ve also changed:

listener.ssl.tls_version = tlsv1.3
listener.vmqs.tls_version = tlsv1.3
listener.https.tls_version = tlsv1.3

Any ideas on how to proceed?

afa · July 31, 2024, 7:24am

Hi Arthur,
is your bridge really ssl.sbr0 for all of the settings?

Note that the TLS version of the VerneMQ listeners is unrelated here.
This is about the Bridge plugin opening a TLS connection, not VerneMQ receiving one.

arthur · July 31, 2024, 9:59am

Ah, that was it. I had to replace tcp with ssl in all the bridge settings. Thanks!

For those having trouble connecting to a let’s encrypt protected broker: On debian I’ve now used
vmq_bridge.ssl.br0.cafile = /etc/ssl/certs/ca-certificates.crt
instead of the cacerts-file directly from let’s encrypt.