Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] TLS v1.3 for PSK 
Hi Per,

> I also did some reading up on the openssl APIs. As I understand it the old TLSv1.2 APIs used by mosquitto should still work with 1.3 even though the new API is recommended. From the openssl documentation: "The callback for use in TLSv1.2 will also work in TLSv1.3 although it is recommended to use SSL_CTX_set_psk_use_session_callback()".

Thank you for that. I must have missed that part of the documentation
when I made the change. I will have to look at it again.

I am generally happy with the state of the develop branch for 2.1. The
Eclipse release process adds some time to get reviews done prior to
release but I would tentatively say a release towards the end of April
seems doable, and gives chance to blitz through some issues.

Regards,

Roger

>
> However the most important for us right now is to know that disabling TLSv1.3 for PSK was not done to solve any security issue.
>
> What is the expected time frame for mosquitto 2.1?
>
> /Per
>
> ________________________________
> From: mosquitto-dev <mosquitto-dev-bounces@xxxxxxxxxxx> on behalf of Roger Light <roger@xxxxxxxxxx>
> Sent: Friday, March 25, 2022 3:06:27 PM
> To: General development discussions for the mosquitto project
> Subject: Re: [mosquitto-dev] TLS v1.3 for PSK
>
> Hi Per,
>
> Thanks for the email, it's good to hear from people who are using
> lesser used features. TLS-PSK in TLS v1.3 changed substantially and at
> least the openssl implementation requires applications to use
> different APIs to cope with this - which Mosquitto currently does not
> do. As I recall, with TLS 1.3 still enabled some clients were having
> problems connecting when using TLS-PSK, so the simplest fix was to
> disable the non-functional TLS-PSK version.
>
> Support for v1.3 TLS-PSK could go into version 2.1, I'll have to see
> how it goes. It hasn't been a particular priority so far because I
> have the impression that barely anybody uses TLS-PSK.
>
> Regards,
>
> Roger
>
> On Fri, 25 Mar 2022 at 12:40, Per x Johansson <Per.X.Johansson@xxxxxxxx> wrote:
> >
> > Hi
> >
> >
> > After upgrading to mosquitto 2.0.12, we have run into problems with clients not being able to connect to brokers that only accept TLS v1.3 when using PSK. I can see in the change log that the reason for that is this.
> >
> >
> > "Disable TLS v1.3 when using TLS-PSK, because it isn't correctly configured."
> >
> >
> > What I would like to understand is what "because it isn't correctly configured" actually means. Is there any way to solve it without running TLS v1.2 on the broker? Does it have any security issues for clients using the 2.0.10 version of mosquitto lib when connection to v1.3 brokers.
> >
> >
> > Regards,
> >
> > Per
> >
> > _______________________________________________
> > mosquitto-dev mailing list
> > mosquitto-dev@xxxxxxxxxxx
> > To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev

Back to the top