TLS configuration with websockets

[dinacel]

TLS version and ciphers are restricted on port 8883 but not on the websocket port 8884. It seems "ciphers" and "tls_version" have no effect with this proto.

listener 1883
protocol mqtt

listener 8883
protocol mqtt
cafile /etc/mosquitto/ca_certificates/chain.crt
certfile /etc/mosquitto/certs/mosquitto.pem
keyfile /etc/mosquitto/certs/mosquitto.key
ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
tls_version tlsv1.2

listener 1884
protocol websockets

listener 8884
protocol websockets
cafile /etc/mosquitto/ca_certificates/chain.crt
certfile /etc/mosquitto/certs/mosquitto.pem
keyfile /etc/mosquitto/certs/mosquitto.key
ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
tls_version tlsv1.2

[ralight]

What version of libwebsockets are you using? Ciphers should work for not too old versions, but libwebsockets doesn't allow you to restrict the TLS versions in use.

[dinacel]

I'm on Debian stable so it's the libwebsockets 1.2.2 and it's really old so it seems it's the root cause.

[ralight]

Ah yes, that would definitely do it. If you don't mind I'm going to close this issue as it isn't really mosquitto that is the problem.