"Official" CentOS 7 mosquitto 1.4.4 RPM lacks ECC support

[ralight]

migrated from Bugzilla #478263
status RESOLVED severity normal in component Mosquitto for 1.4
Reported in version 1.4 on platform PC
Assigned to: Roger Light

On 2015-09-24 03:29:03 -0400, Ville Warsta wrote:

Mosquitto 1.4.4 RPM from the repo http:https://download.opensuse.org/repositories/home:/oojah:/mqtt/CentOS_CentOS-7/home:oojah:mqtt.repo does not support ECC cipher suites.

Is this intentional or perhaps the build machine has an outdated version of openssl-devel?

Ciphers with the prebuilt RPM from the repo above and "tls_version tlsv1.2" in mosquitto configuration:

$ nmap -sV -PN -p 8883 x.x.x.x --script ssl-enum-ciphers

Starting Nmap 6.40 ( http:https://nmap.org ) at 2015-09-24 10:11 EEST
Nmap scan report for x.x.x.x
Host is up (0.032s latency).
PORT STATE SERVICE VERSION
8883/tcp open ssl/unknown
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_IDEA_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: weak

Ciphers with an RPM built in a CentOS 7 machine from the 1.4.4 SRPM (no additional patches) and "tls_version tlsv1.2" in mosquitto configuration:

$ nmap -sV -PN -p 8883 x.x.x.x --script ssl-enum-ciphers

Starting Nmap 6.40 ( http:https://nmap.org ) at 2015-09-24 10:10 EEST
Nmap scan report for x.x.x.x
Host is up (0.019s latency).
PORT STATE SERVICE VERSION
8883/tcp open ssl/unknown
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_IDEA_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: weak

On 2015-09-24 04:20:18 -0400, Roger Light wrote:

The builds were set to disable EC, I can't remember why though. I've enabled it again and the build has succeeded so this should be fixed now.

Thanks for the report.

On 2015-11-20 09:35:27 -0500, Ville Warsta wrote:

Sorry for the delay; I recently tried with the latest CentOS7 RPM (mosquitto-1.4.5-1.1.x86_64.rpm) and it seems that ECDHE is still not possible.