Hi Mohamed,
Thanks for your suggestion.
Indeed I already tried to explicitly set ciphers in mosquitto config
file (tried with various flavours of DHE-RSA).
And it doesn't work.
That's why I was wondering if and how mosquitto can handle DH
parameters.
I have generated the params with openssl... but I found no
indications on where to put them.
Tried to put in same folder of capath and config file, both with no
luck.
Yes, using stunnel makes sense, but adds one more piece to my
(already complex) system, which I would prefer to avoid, if
possible.
Regards,
Luca
On 18/02/2019 20:16, Mohamed HAMZAOUI
wrote:
Hello
Remember when using DH the first thing to do is to generate a set of DH
parameters in your system (4096bit is the best choice).
As defined in mosquito.conf documentation :
ciphers cipher:list
The
list of allowed ciphers, each separated with a colon.
Available ciphers can be obtained using the "openssl
ciphers" command.
Can you set explicitly your desired cipher
suite and check?
Just a final solution that helped me in the
past. If you have some issues like this, remember that you
can delegate all the TLS part to another soft more
specialized like stunnel, which forward the traffic to
mosquitto once the connection is successful and, in this
case you must keep mosquitto available only for internal
connections.
Regards,
Mohamed Hamzaoui
Hi everyone,
I was wondering whether Mosquitto supports the use
of DHE-RSA ciphers.
In fact I'm not able to establish a connection when
using e.g. DHE-RSA-AES256-SHA (but the same seems to
occur for all DHE-RSA-* ciphers).
The underlying openssl works fine (tested with
s_server and s_client).
I've read on openssl documentation that DHE-RSA
needs some DH params to be set up in advance.
However I can't find any info on mosquitto docs
about that.
Also, I wasn't able to find any calls to
SSL_CTX_set_tmp_dh() in the code.
Can you please confirm support for DHE-RSA?
And in that case point me to some life-saving info?
Thank you in advance
Luca
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your
password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/mosquitto-dev
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/mosquitto-dev
|
