Re: [paho-dev] Using m2m.eclipse.org for running Paho tests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [paho-dev] Using m2m.eclipse.org for running Paho tests

From: Ian Craggs <icraggs@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 09 Aug 2013 17:41:11 +0100
Delivered-to: paho-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/paho-dev>
List-help: <mailto:paho-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/paho-dev>, <mailto:paho-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/paho-dev>, <mailto:paho-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130621 Thunderbird/17.0.7

Roger,

yep, I agree on the ports: for the test infrastructure, use a set thatare well out of the way of the standard ones.

I absolutely agree with you on the subject of weak ciphers - it's muchbetter to direct people in the direction of best security practice bydefault. This was only for the purpose of the tests, and I'm not thatconcerned about these particular tests, for the same reasons.


I did set the cipher on the listener, so:

listener 8886
cafile keys/server/ca.crt
certfile keys/server/server.crt
keyfile keys/server/server.key
require_certificate false
ciphers ADH-DES-CBC-SHA

but still got:

OpenSSL Error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:noshared cipher


No big deal, it's more out of interest really.

Ian

On 08/09/2013 05:29 PM, Roger Light wrote:

Hi Ian,

That's great, it makes a lot of sense. Having a separate broker
instance for testing is definitely a good idea as well! We should
probably move the ports the tests use so that they don't use 8883 to
avoid potential future problems if we allow TLS connections on
m2m.eclipse.org.

Mosquitto uses the default ciphers that openssl makes available. You
can see this list with "openssl ciphers -v", or "openssl ciphers -v
'DEFAULT:!aNULL:!eNULL", which is confusingly the set of options that
are used by default.

ADH-DES-CBC-SHA is part of the aNULL (null authentication, as you say)
cipher group so it isn't available by default. You can configure the
available ciphers with the "ciphers" option in the config file, but
you'd also have to argue quite hard to convince me that providing
support for weak anonymous ciphers was a good idea. I'm inclined to
disable more weak ciphers by default, as discussed in this Python bug
report: http://bugs.python.org/issue13636

Cheers,

Roger


On Fri, Aug 9, 2013 at 4:51 PM, Ian Craggs
<icraggs@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

Hi Roger,

Benjamin is happy for us to use m2m.eclipse.org to run an MQTT server to run
Paho tests against.  The tests use a variety of SSL configuration on four
ports (currently 8883 to 8886) in addition to 1883.

We could use the same instance of Mosquitto as is running now, or a separate
instance for added stability.   I just imagined that random use of the
sandbox server could interfere with the Paho tests, and that a separate
instance would give us more reliable tests.

What do you think?

Ian

P.S.  My SSL C client tests are working against Mosquitto with the exception
of anonymous ciphers (attempting to use ADH-DES-CBC-SHA). Anything special
to consider?

References:
- [paho-dev] Using m2m.eclipse.org for running Paho tests
  - From: Ian Craggs
- Re: [paho-dev] Using m2m.eclipse.org for running Paho tests
  - From: Roger Light

Prev by Date: Re: [paho-dev] Using m2m.eclipse.org for running Paho tests
Next by Date: [paho-dev] Website updated with Mavern repository links
Previous by thread: Re: [paho-dev] Using m2m.eclipse.org for running Paho tests
Next by thread: [paho-dev] Website updated with Mavern repository links
Index(es):
- Date
- Thread

Breadcrumbs