Community
Participate
Working Groups
Dear Eclipse Security team, when trying to connect with tls1.3 both the broker and the client (mosquitto_pub) are ignoring the "ciphers" keyword and always using TLS_AES_256_GCM_SHA384 even if other ciphers (or any random string such as "test") are specified. Component: mosquitto 1.6.2 (latest) and mosquitto_pub 1.6.2 (latest) OS: Linux (Ubuntu 18.10) Client string: -> mosquitto_pub -h 127.0.0.1 -t "test" -p 8883 -i "Client1" -u Client1 -m "message" --cafile ca.pem --cert client.crt --key client.key --tls-version tlsv1.3 --ciphers example --insecure ********************************** listener 8883 allow_anonymous false cafile cert/ca.pem certfile cert/server.crt keyfile cert/server.key tls_version tlsv1.3 ciphers test log_type all log_dest stdout *************************************
I don't see an entry for Mosquitto here which implies they are using Github issues. I've re-assigned this to the PL of the mosquitto project. -M.
I can confirm this is the case, cipher suites for TLS v1.3 are configured differently in openssl than for TLS v1.2 and below. We will add a new option to allow it to be changed. Setting an invalid cipher should fail, it does on more recent versions of openssl. It doesn't seem to matter what string you use on the version in Ubuntu 18.10, no error is returned by openssl.
And as suggested, general issues should go to https://github.com/eclipse/mosquitto/issues For security related issues where there is a risk if the issue is made public you should use one of the procedures on https://www.eclipse.org/security/ when reporting.
(In reply to Roger Light from comment #3) > And as suggested, general issues should go to > https://github.com/eclipse/mosquitto/issues For security related issues > where there is a risk if the issue is made public you should use one of the > procedures on https://www.eclipse.org/security/ when reporting. Thanks for your time, we opened an issue on Github as you suggested.