Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MQTTS: mosquitto broker doesn't use all cipher suites from OpenSSL #1925

Closed
demvy opened this issue Dec 3, 2020 · 4 comments
Closed

MQTTS: mosquitto broker doesn't use all cipher suites from OpenSSL #1925

demvy opened this issue Dec 3, 2020 · 4 comments
Milestone
2.0.1

Comments

@demvy
Copy link

demvy commented Dec 3, 2020

In continuation of DHE support issue, found new one. Seems, mosquitto doesn't use OpenSSL fully.
It can't launch broker with some cipher suites that are available in installed version of OpenSSL. During lauch, I see errors:

$ mosquitto -c mqtt_hce.conf -v
1606993071: mosquitto version 1.4.8 (build date Tue, 18 Jun 2019 11:59:34 -0300) starting
1606993071: Config loaded from mqtt_hce.conf.
1606993071: Opening ipv4 listen socket on port 1885.
1606993071: Opening ipv6 listen socket on port 1885.
1606993071: Error: Unable to set TLS ciphers. Check cipher list "DHE-RSA-CHACHA20-POLY1305".

In this time, I can up OpenSSL server (TCP socket with security) with cmd:
openssl s_server -cert device.crt -key device.key -accept 1885 -cipher DHE-RSA-CHACHA20-POLY1305 -verify 1 -CAfile rootCA_chain.pem -tls1_2

To launch mosquitto broker I've used this config:

cat mqtt_hce.conf
listener 1885
cafile ./rootCA_chain.pem
certfile ./device.crt
keyfile ./device.key
ciphers DHE-RSA-CHACHA20-POLY1305
require_certificate true
connection_messages true

Setup: Ubuntu 16.04 with official deb packages:
mosquitto version 1.4.8 (build date Tue, 18 Jun 2019)
OpenSSL 1.1.1a 20 Nov 2018
@ralight
Copy link
Contributor

ralight commented Dec 6, 2020

I've been looking into this and see the same as you, but so far I can't see what the difference is between what mosquitto uses and what s_server does. I'll keep looking.

@sectokia
Copy link

sectokia commented Dec 9, 2020
edited

I think mosquitto is missing use of SSL_CTX_set_dh_auto, the default is off, so no DH is supported.

Some where in net__init_ssl_ctx add SSL_CTX_set_dh_auto(mosq->ssl_ctx,1); ?

@ralight
Copy link
Contributor

ralight commented Dec 9, 2020

Thanks @sectokia , that does indeed seem to fix it.

@ralight ralight added this to the 2.0.1 milestone Dec 9, 2020
ralight added a commit that referenced this issue Dec 9, 2020
@ralight
lib: Fix DH group not being set for TLS connections.
2264e85 
This meant ciphers using DHE couldn't be used.

Closes #1925. Closes #1476. Thanks to Jonathan Sönnerup, Valerii
Demeshko, and sectokia.
ralight added a commit that referenced this issue Dec 9, 2020
@ralight
Fix DH group not being set for TLS connections.
e81216c 
This meant ciphers using DHE couldn't be used.

Closes #1925. Closes #1476. Thanks to Jonathan Sönnerup, Valerii
Demeshko, and sectokia.
ralight added a commit that referenced this issue Dec 9, 2020
@ralight
lib: Fix DH group not being set for TLS connections.
a8e3785 
This meant ciphers using DHE couldn't be used.

Closes #1925. Closes #1476. Thanks to Jonathan Sönnerup, Valerii
Demeshko, and sectokia.
ralight added a commit that referenced this issue Dec 9, 2020
@ralight
lib: Fix DH group not being set for TLS connections.
d8dcfd7 
This meant ciphers using DHE couldn't be used.

Closes #1925. Closes #1476. Thanks to Jonathan Sönnerup, Valerii
Demeshko, and sectokia.
ralight added a commit that referenced this issue Dec 9, 2020
@ralight
lib: Fix DH group not being set for TLS connections.
26e6bfb 
This meant ciphers using DHE couldn't be used.

Closes #1925. Closes #1476. Thanks to Jonathan Sönnerup, Valerii
Demeshko, and sectokia.
@demvy
Copy link
Author

demvy commented Dec 18, 2020

thanks @ralight @sectokia for fast fix!

fAuernigg pushed a commit to fAuernigg/mosquitto that referenced this issue Jan 4, 2021
@ralight @fAuernigg
Fix DH group not being set for TLS connections.
d44d04e 
This meant ciphers using DHE couldn't be used.

Closes eclipse#1925. Closes eclipse#1476. Thanks to Jonathan Sönnerup, Valerii
Demeshko, and sectokia.
fAuernigg pushed a commit to fAuernigg/mosquitto that referenced this issue Jan 4, 2021
@ralight @fAuernigg
lib: Fix DH group not being set for TLS connections.
74daa6d 
This meant ciphers using DHE couldn't be used.

Closes eclipse#1925. Closes eclipse#1476. Thanks to Jonathan Sönnerup, Valerii
Demeshko, and sectokia.
@taggsladder taggsladder mentioned this issue Feb 17, 2022
Open
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 11, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.0.1
Development

No branches or pull requests
3 participants
@ralight @demvy @sectokia