[Bug]: MQTT Client Proxy TLS handshake fails on custom broker with valid Let's Encrypt cert (T1000e)

[WB3IHY]

Contact Details

wb3ihy@gmail.com

Checklist

• I am able to reproduce the bug with the latest version.

• I have updated to the latest Alpha firmware, and am able to reproduce the bug. Many issues are fixed quickly in alpha before the general beta release.

• I made sure that there are no existing OPEN or CLOSED issues which I could contribute my information to.

• I have taken the time to fill in all the required details. I understand that the bug report will be dismissed otherwise.

• This issue contains only one bug.

• I have read and understood the Contribution Guidelines.

• I agree to follow this project's Code of Conduct

• I actually read this list, and should be taken seriously.

Affected app version

Version: 2.7.14 (29320672)

Affected Android version

Android 12

Affected phone model

Samsung Galaxy S10e

Affected node model

SenseCAP T1000e

Affected node firmware version

2.7.23.b246bcd

Steps to reproduce the bug

1. Configure a custom MQTT broker (Mosquitto) with a valid Let's Encrypt RSA
   certificate (R13 intermediate) on port 8883
2. On a SenseCAP T1000e (no WiFi capability), configure MQTT with:
   • Client Proxy: enabled
   • TLS: enabled
   • Custom broker address (port 8883)
   • Valid credentials
3. Connect Android app to T1000e via Bluetooth
4. Attempt MQTT connection via the app

Actual behavior

TLS handshake fails immediately. The Android app reports "TLS handshake failed."
The broker sees the connection attempt and immediately drops it cleanly with no
TLS error logged on the server side.

Expected behavior

TLS handshake should complete successfully and the MQTT connection should be
established, consistent with the behavior seen when proxy is disabled and the
device handles TLS directly over its own WiFi connection.

Screenshots/Screen recordings

No response

Relevant log output

# Mosquitto broker log (port 8883):
New connection from [ip]:port on port 8883.
Client [ip] disconnected: Success.

# Android app:
TLS handshake failed

# Successful control test (mosquitto_sub from Linux):
mosquitto_sub -h mqtt.example.com -p 8883 --capath /etc/ssl/certs \
  -u user -P pass -t "test/#" -v
# -> connects cleanly, no errors

Additional information

• Broker: Mosquitto on Ubuntu 24, Let's Encrypt cert (R13/RSA intermediate),
  configured with fullchain.pem
• Disabling TLS and connecting on port 1883 with proxy on: works correctly
• Direct connection with proxy off and device WiFi (Heltec V4): TLS works correctly
• Same credentials and broker used by other nodes successfully
• log_type all enabled on broker — no OpenSSL errors logged, only clean disconnect
• Issue appears related to MQTTastic-Client-KMP migration (PRs feat(mqtt): migrate to MQTTastic-Client-KMP #5165/feat(mqtt): adopt mqttastic-client-kmp 0.2.0 — disconnect reasons + Test Connection #5181)
• PR fix(mqtt): harden TLS enforcement, add user CA trust, and improve error diagnostics #5365 (TLS hardening fix) is present in this build but does not resolve the issue

[github-actions]

{
  "complete": false,
  "comment": "Please provide the Android app debug logs by going to Settings > Debug > Save Logs, reproducing the problem, and sharing the exported log file. Additionally, if the logs are insufficient, connect your phone via USB with USB debugging enabled and run 'adb logcat -s Meshtastic:* *:E', then reproduce the problem and copy/paste the relevant output.",
  "label": "needs-logs"
}

[WB3IHY]

{
"complete": false,
"comment": "Please provide the Android app debug logs by going to Settings > Debug > Save Logs, reproducing the problem, and sharing the exported log file. Additionally, if the logs are insufficient, connect your phone via USB with USB debugging enabled and run 'adb logcat -s Meshtastic:* *:E', then reproduce the problem and copy/paste the relevant output.",
"label": "needs-logs"
}

No TLS-related output captured in either:

• In-app Debug Panel

meshtastic_debug_20260511_001730.txt

export (8.4MB log attached)

• adb logcat scoped to com.geeksville.mesh PID

The MQTTastic library appears to be silently swallowing the SSL
exception with no stack trace logged anywhere. The UI reports
"TLS handshake failed" but no underlying cause is available.

[WB3IHY]

Additional data points:

• A second user has confirmed the same failure on a non-beta Android
  release (2.7.13 29320069), suggesting this is not specific to the MQTTastic-Client-KMP
  migration and may be a longer-standing bug.

• A third user with an iPhone (iOS Meshtastic app) using the same device
  (T1000e) with proxy enabled and TLS enabled connects successfully to a
  custom broker. This confirms the broker configuration and device firmware
  are not factors — the issue is Android-specific.

[clayauld]

I can confirm that this issue now breaks TLS on all configurations I have. I had TLS working in prior versions of meshtastic on the Heltec v1.1 but with recent firmware versions and the Android app I can not get the TLS handshake to succeed. I have tried:

1. LetsEncrypt TLS certs inside mosquitto
2. LetsEncrypt TLS certs with traefik in front of mosquitto to server TLS handshake
3. ZeroSSL TSL certsinside mosquitto
4. ZeroSSL TSL certs with traefik in front of mosquitto to server TLS handshake

I've been able to use an MQTT client on my Android phone, as well as a Linux machine to validate that this server is working properly. The only way I can get Meshtastic nodes to connect is to disable TLS.

This was working a month ago, but recent updates broke things.