Re: [mosquitto-dev] TLS v1.3 for PSK

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [mosquitto-dev] TLS v1.3 for PSK

From: Per x Johansson <Per.X.Johansson@xxxxxxxx>
Date: Mon, 28 Mar 2022 07:26:27 +0000
Accept-language: en-US, sv-SE
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/mosquitto-dev/>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AQHYQEVnyzdlnfyPZ0ahLWiAl1lmzazQEbuAgARSzto=
Thread-topic: [mosquitto-dev] TLS v1.3 for PSK

Thanks for the quick answer. We have been using TLSv1.3 with PSK, using a plugin to provide the PSK, for a quite long time now without any issues. So I'm a bit curious about what kind of problems that has been seen.

I also did some reading up on the openssl APIs. As I understand it the old TLSv1.2 APIs used by mosquitto should still work with 1.3 even though the new API is recommended. From the openssl documentation: "The callback for use in TLSv1.2 will also work in TLSv1.3 although it is recommended to use SSL_CTX_set_psk_use_session_callback()".

However the most important for us right now is to know that disabling TLSv1.3 for PSK was not done to solve any security issue.

What is the expected time frame for mosquitto 2.1?

/Per

From: mosquitto-dev <mosquitto-dev-bounces@xxxxxxxxxxx> on behalf of Roger Light <roger@xxxxxxxxxx>
Sent: Friday, March 25, 2022 3:06:27 PM
To: General development discussions for the mosquitto project
Subject: Re: [mosquitto-dev] TLS v1.3 for PSK

Hi Per,

Thanks for the email, it's good to hear from people who are using
lesser used features. TLS-PSK in TLS v1.3 changed substantially and at
least the openssl implementation requires applications to use
different APIs to cope with this - which Mosquitto currently does not
do. As I recall, with TLS 1.3 still enabled some clients were having
problems connecting when using TLS-PSK, so the simplest fix was to
disable the non-functional TLS-PSK version.

Support for v1.3 TLS-PSK could go into version 2.1, I'll have to see
how it goes. It hasn't been a particular priority so far because I
have the impression that barely anybody uses TLS-PSK.

Regards,

Roger

On Fri, 25 Mar 2022 at 12:40, Per x Johansson <Per.X.Johansson@xxxxxxxx> wrote:
>
> Hi
>
>
> After upgrading to mosquitto 2.0.12, we have run into problems with clients not being able to connect to brokers that only accept TLS v1.3 when using PSK. I can see in the change log that the reason for that is this.
>
>
> "Disable TLS v1.3 when using TLS-PSK, because it isn't correctly configured."
>
>
> What I would like to understand is what "because it isn't correctly configured" actually means. Is there any way to solve it without running TLS v1.2 on the broker? Does it have any security issues for clients using the 2.0.10 version of mosquitto lib when connection to v1.3 brokers.
>
>
> Regards,
>
> Per
>
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev

Follow-Ups:
- Re: [mosquitto-dev] TLS v1.3 for PSK
  - From: Roger Light

References:
- [mosquitto-dev] TLS v1.3 for PSK
  - From: Per x Johansson
- Re: [mosquitto-dev] TLS v1.3 for PSK
  - From: Roger Light

Prev by Date: Re: [mosquitto-dev] TLS v1.3 for PSK
Next by Date: [mosquitto-dev] What are these errors?
Previous by thread: Re: [mosquitto-dev] TLS v1.3 for PSK
Next by thread: Re: [mosquitto-dev] TLS v1.3 for PSK
Index(es):
- Date
- Thread

Breadcrumbs