New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mosquitto has no option to configure TLS 1.3 cipher suites. #1825
Comments
Closes #1825. Thanks to Valentin Dimov.
I've now added the |
@ralight This fix should also solve #1283. Unfortunatly, I tried but I was still not able to enforce a specific TLS 1.3 cipher. Steps to test with respect to test.mosquitto.org:
An error
According to Testssl, test.mosquitto.org should support the following TLS 1.3 ciphers: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256 and TLS_AES_128_GCM_SHA256. I tried also locally (eclipse-mosquitto:2-openssl Docker container and self-signed certificates and keys) with the following Mosquitto configuration. If i force the TLS 1.3 cipher, paho-mqtt provides always the same error, while if I remove the ciphers param from
|
Closes eclipse#1825. Thanks to Valentin Dimov.
When the broker or client library are set to use TLS 1.3, it seems the ciphers option doesn't affect which TLS 1.3 cipher suites are used at all, and in fact throws an error if a string like "TLS_AES_128_GCM_SHA256" is given.
Looking through the code (src/net.c in particular), I can see the library makes the call to SSL_CTX_set_cipher_list(). According to the OpenSSL manual (https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html), this call is only meant for TLS 1.2 and below. For TLS 1.3, the correct call would be SSL_CTX_set_ciphersuites().
As a proposed fix, listener -> tls_version can be used to check if TLS 1.3 is used, and if so, SSL_CTX_set_ciphersuites() can be called instead of SSL_CTX_set_cipher_list().
The text was updated successfully, but these errors were encountered: