DHE cipher suites does not work

[Noxet]

when limiting the cipher suites to some DHE suite, e.g.,
DHE-PSK-AES256-CCM
DHE-PSK-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256,

mosquitto logs the following error message:

OpenSSL Error: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
Socket error on client <unknown>, disconnecting.

Using any of the ECDHE suites, there is no problem. The problem arises for PKI aswell.

mosquitto.conf:

pid_file /var/run/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/

log_dest file /home/iotproj/mqtt/mosquitto.log

port 1883

# PKI
listener 8883
certfile /home/iotproj/mqtt/certs/server.pem
keyfile /home/iotproj/mqtt/certs/server.key
cafile /home/iotproj/mqtt/certs/ca.pem
tls_version tlsv1.2
ciphers DHE-RSA-AES256-GCM-SHA384
require_certificate false

# PSK
listener 8884
psk_hint "squid"
use_identity_as_username true 
ciphers DHE-PSK-AES128-CCM
psk_file /home/iotproj/mqtt/preshared.keys

Testing both with the mosquitto_pub command aswell as running an MQTT client on an ESP32 results in the same error.

mosquitto version 1.4.10 on debian.

EDIT:
verified that the problem occurs with mosquitto version 1.6.7 too.

[Pluto1010]

How did you solve that?

[Noxet]

Well, I haven't, this is still a problem..

[numericOverflow]

I'm having this problem too while attempting to connect using MQTT Explorer. It connects works perfectly to connect from a Win Server2012R2 (build 9600) but when connecting from my Win10 machine (1909, build 18363.657) I get the same error shown above. Excerpt from my mosquitto.log:

1583285482: New connection from 192.168.1.1 on port 8883.
1583285482: OpenSSL Error: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
1583285482: Socket error on client <unknown>, disconnecting.

Mosquitto config is setup for certificates only, and I used the exact same certs copied from one machine to the other. Mosquitto (1.6.8-0mosquitto1~buster1) installed on Ubuntu server (Linux version 4.15.0-46-generic (buildd@lgw01-amd64-038) (gcc version 7.3.0 (Ubuntu 7.3.0-16ubuntu3))

[demvy]

Have this issue too and seems, it is just mosquitto error. As host, using Ubuntu 16.04, installed only official deb packages

mosquitto version 1.4.8 (build date Tue, 18 Jun 2019)
OpenSSL 1.1.1a 20 Nov 2018

Issue consists in: Alert message from MQTT server instead of sending Server Hello packet. MQTT broker prints errors in the console:

1606990532: mosquitto version 1.4.8 (build date Tue, 18 Jun 2019 11:59:34 -0300) starting
1606990532: Config loaded from mqtt_hce.conf.
1606990532: Opening ipv4 listen socket on port 1885.
1606990532: Opening ipv6 listen socket on port 1885.
1606990545: Client connection from 192.168.0.104 failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher.

In the same time, client and broker have shared cipher suite (in my case - 0x006B), this is seen from Client Hello message and options in the mosquitto config.
This is done only when using DHE as key exchange algo. With RSA/ECDH/ECDHE, it works as expected.
Tried to create the same session with pure OpenSSL server. This works correctly and client can connect, cmd line:
openssl s_server -cert device.crt -key device.key -accept 1885 -cipher DHE-RSA-AES256-SHA256 -verify 1 -CAfile rootCA_chain.pem

Please check mosquitto config, it uses the same files and settings:

listener 1885
cafile ./rootCA_chain.pem
certfile ./device.crt
keyfile ./device.key
ciphers DHE-RSA-AES256-SHA256
require_certificate true
connection_messages true

For connections, used openssl client:
openssl s_client -connect 192.168.0.104:1885 -tls1_2 -CAfile rootCA.pem -cert ecc_sign/client.crt -key ecc_sign/client.key

Results of testing:
openssl s_client -> mosquitto FAIL
openssl s_client -> openssl s_server OK