Thanks for this write up. Unfortunately I don’t think you are actually connecting via TLS.
In your example, you create the CA certs, then you created server certs. (I think) This would allow the broker (mosquitto server) to send to the cert to the openHAB client and the openHAB client to remember that cert after the first connection. This allows the client to “verify” the host (this is what the cert pining stuff is in OH), but does not actually create a TLS connection.
You never created a client cert for openHAB
You never import any certs into openHAB
You have a username/password in your openHAB client configuration. TLS connections do not use username/passwords at all, they verify the login via the certs that you never created.
For example: using the command line clients and connecting to a broker I have set to accept both plain and TLS connections:
#client certifcate settings
First, I show that if I specify no credentials, the broker rejects the connection (note, in your example config of mosquitto, you don’t specify allow_anonymous false so I suspect anyone can connect to your broker on port 1883 with no credentials at all!)
mosquitto_pub -h 192.168.1.200 -p 1883 -i "Test-Client" -t "testtopic/test" -m 'foobbar'
Connection Refused: not authorised.
Error: The connection was refused.
Next, I show an unencrypted connection to my broker on port 1883 using uname/passwd authentication
mosquitto_pub -h 192.168.1.200 -p 1883 -i “Test-Client” -u foo -P bar -d -t “testtopic/test” -m ‘foobbar’
Client Test-Client sending CONNECT
Client Test-Client received CONNACK
Client Test-Client sending PUBLISH (d0, q0, r0, m1, ‘testtopic/test’, … (7 bytes))
Client Test-Client sending DISCONNECT
In my mosquitto log I see:
1609602216: New connection from 192.168.1.50 on port 1883.
1609602216: New client connected from 192.168.1.50 as Test-Client (c1, k60, u'openhabian').
1609602216: No will message specified.
1609602216: Sending CONNACK to Test-Client (0, 0)
1609602216: Received PUBLISH from Test-Client (d0, q0, r0, m0, 'testtopic/test', ... (7 bytes))
1609602216: Received DISCONNECT from Test-Client
Lastly is a TLS connection to port 8883 which uses no uname/passed at all
mosquitto_pub -h 192.168.1.200 -p 8883 -i "Test-Client" --cafile /home/tom/ssl/ca.crt --cert /home/tom/ssl/client.crt --key /home/tom/ssl/client.key -d -t "testtopic/test" -m 'foobbar'
In my mosquitto log I see:
1609601153: New connection from 192.168.1.50 on port 8883.
1609601153: New client connected from 192.168.1.50 as Test-Client (c1, k60, u'Heyu').
1609601153: No will message specified.
1609601153: Sending CONNACK to Test-Client (0, 0)
1609601153: Received PUBLISH from Test-Client (d0, q0, r0, m0, 'testtopic/test', ... (7 bytes))
1609601153: Received DISCONNECT from Test-Client
BTW, to answer your questions, mosquitto logs are configured by you in
with the line:
log_dest file /var/log/mosquitto/mosquitto.log
So for me, to watch the log in real time, I use
tail -f /var/log/mosquitto/mosquitto.log