Hi Everyone,
I have been trying to configure hivemq broker for specific cipher suites by updating it’s config.xml file.
TLSv1.2 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384But unable to configure mqttnet client with specific cipher suite even I don’t see any explicit configuration is available to configure cipher in mqttclient in c#.
Please help me with workaround or solution.
Any help would be appreciated !!
Thanks
Rahul
Hi @Rahul
I hope you’re doing well. Could you kindly confirm whether you are able to establish a connection to your broker using the MQTT-CLI client with the specified TLS version and cipher suite? Your confirmation would greatly assist us in providing you with the necessary assistance.
Thank you for your cooperation and for reaching out to us.
Best regards,
Dasha from HiveMQ Team
Hi @Daria_H,
Thanks for responding.
We have been trying to integrate ‘TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384’ cipher suite with TLS 1.2 but once we configured on broker we start facing errors which is mention below.
Hello @Rahul
I made some tests in my local lab and I was able to reproduce the same.
However, after many attempts, I realized that my broker Keystore was created using the RSA algorithm instead of ECDSA. I recreated the broker keystore self-signed certificate using ECDSA with SHA256 and the issue was mitigated.
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.876 UTC|ClientHello.java:798|Consuming ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "39 61 79 E1 77 7D DE 21 72 60 5F 2D 8C A9 B8 AE 6C B7 45 9D 90 4A 13 4E 49 A3 1E 21 8A 8C 9F 92",
"session id" : "",
"cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035)]",
"compression methods" : "00",
"extensions" : [
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [x25519, secp256r1, secp384r1, secp521r1, x448]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.2]
},
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.876 UTC|SSLExtensions.java:192|Consumed extension: supported_versions
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.876 UTC|ClientHello.java:828|Negotiated protocol version: TLSv1.2
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.876 UTC|SSLExtensions.java:173|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.877 UTC|SSLExtensions.java:173|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.877 UTC|SSLExtensions.java:192|Consumed extension: status_request
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.877 UTC|SSLExtensions.java:192|Consumed extension: supported_groups
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.877 UTC|SSLExtensions.java:192|Consumed extension: ec_point_formats
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.877 UTC|SSLExtensions.java:192|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.877 UTC|SSLExtensions.java:192|Consumed extension: signature_algorithms_cert
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.877 UTC|SSLExtensions.java:192|Consumed extension: status_request_v2
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.877 UTC|SSLExtensions.java:192|Consumed extension: extended_master_secret
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.877 UTC|SSLExtensions.java:192|Consumed extension: supported_versions
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.878 UTC|SSLExtensions.java:192|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.878 UTC|SSLExtensions.java:207|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.878 UTC|SSLExtensions.java:207|Ignore unavailable extension: max_fragment_length
javax.net.ssl|WARNING|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.879 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: status_request
javax.net.ssl|WARNING|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.879 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: supported_groups
javax.net.ssl|WARNING|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.879 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.879 UTC|SSLExtensions.java:224|Populated with extension: signature_algorithms
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.879 UTC|SSLExtensions.java:224|Populated with extension: signature_algorithms_cert
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.879 UTC|SSLExtensions.java:207|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|WARNING|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.879 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: status_request_v2
javax.net.ssl|WARNING|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.879 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: extended_master_secret
javax.net.ssl|WARNING|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.880 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|WARNING|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.880 UTC|SSLExtensions.java:215|Ignore impact of unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.886 UTC|ServerHello.java:439|use cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.886 UTC|StatusResponseManager.java:763|Staping disabled or is a resumed session
javax.net.ssl|ALL|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.887 UTC|ServerNameExtension.java:440|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.887 UTC|SSLExtensions.java:260|Ignore, context unavailable extension: server_name
javax.net.ssl|ALL|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.887 UTC|MaxFragExtension.java:296|Ignore unavailable max_fragment_length extension
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.887 UTC|SSLExtensions.java:260|Ignore, context unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.888 UTC|SSLExtensions.java:260|Ignore, context unavailable extension: status_request
javax.net.ssl|WARNING|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.888 UTC|SSLExtensions.java:246|Ignore, no extension producer defined: ec_point_formats
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.888 UTC|AlpnExtension.java:384|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.888 UTC|SSLExtensions.java:260|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.888 UTC|SSLExtensions.java:260|Ignore, context unavailable extension: status_request_v2
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.888 UTC|ServerHello.java:364|Produced ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "C7 D8 E8 6F AB D4 5C 15 A0 B4 52 12 CA 75 CB 44 69 4C 96 8D B0 91 E1 F1 62 5E 25 6A CE C8 34 60",
"session id" : "51 B8 0F 4A 37 2E 77 F1 84 AF 43 72 F6 A1 83 42 4B 83 02 52 DF BA 61 3D 58 76 80 39 F6 D6 D3 1B",
"cipher suite" : "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C)",
"compression methods" : "00",
"extensions" : [
"extended_master_secret (23)": {
<empty>
},
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.890 UTC|CertificateMessage.java:271|Produced server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v3",
"serial number" : "55 30 DF 06",
"signature algorithm": "SHA256withECDSA",
"issuer" : "CN=localhost",
"not before" : "2023-10-26 18:06:09.000 UTC",
"not after" : "2024-10-25 18:06:09.000 UTC",
"subject" : "CN=localhost",
"subject public key" : "EC",
"extensions" : [
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
IPAddress: 10.11.0.200
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BC 6D 69 E6 27 73 BA AF 3F 1F FD 1D 17 AA B7 C1 .mi.'s..?.......
0010: 12 54 78 28 .Tx(
]
]
}
]}
]
)
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.899 UTC|ECDHServerKeyExchange.java:491|Produced ECDH ServerKeyExchange handshake message (
"ECDH ServerKeyExchange": {
"parameters": {
"named group": "x25519"
"ecdh public": {
0000: 1B DF CA BA 6F 62 19 63 17 F5 21 B0 7A C3 7B 88 ....ob.c..!.z...
0010: D1 78 02 22 F2 01 13 5F E5 30 56 E0 E2 C6 2F 6A .x."..._.0V.../j
},
},
"digital signature": {
"signature algorithm": "ecdsa_secp256r1_sha256"
"signature": {
0000: 30 45 02 21 00 FC F6 41 A1 D7 C1 B0 14 6C 2C D0 0E.!...A.....l,.
0010: 5D DB B6 6A 1A 15 F3 99 AF 5C C9 58 BA 61 27 23 ]..j.....\.X.a'#
0020: A6 D8 77 1E A3 02 20 11 87 B1 AE 32 C1 A1 EF 37 ..w... ....2...7
0030: 83 C3 B5 1C E8 09 BD 88 85 B6 A7 E9 B2 38 E5 A4 .............8..
0040: F2 4A AE C6 A6 36 C8 .J...6.
},
}
}
)
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.900 UTC|ServerHelloDone.java:97|Produced ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.986 UTC|ECDHClientKeyExchange.java:506|Consuming ECDHE ClientKeyExchange handshake message (
"ECDH ClientKeyExchange": {
"ecdh public": {
0000: 2B BB 38 20 42 70 1B 45 F2 9D 43 FF 4D DB C8 47 +.8 Bp.E..C.M..G
0010: C4 5B 8A 53 08 04 83 4F 4F E5 70 B6 8D DE 2F 35 .[.S...OO.p.../5
},
}
)
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.991 UTC|ChangeCipherSpec.java:149|Consuming ChangeCipherSpec message
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.993 UTC|Finished.java:595|Consuming client Finished handshake message (
"Finished": {
"verify data": {
0000: 7E A1 9A C7 63 7F 35 7C 74 07 4F DE
}'}
)
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.993 UTC|ChangeCipherSpec.java:115|Produced ChangeCipherSpec message
javax.net.ssl|DEBUG|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:41.993 UTC|Finished.java:453|Produced server Finished handshake message (
"Finished": {
"verify data": {
0000: 31 C0 A3 B6 BA 7C 25 8F 75 9F EF EE
}'}
)
javax.net.ssl|ALL|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:42.086 UTC|SSLEngineImpl.java:754|Closing outbound of SSLEngine
javax.net.ssl|WARNING|6E|hivemq-eventloop-child-1,nLmXF|2023-10-26 18:23:42.087 UTC|SSLEngineOutputRecord.java:182|outbound has closed, ignore outbound application data
The Keystore in my lab was created with the command below, it generates a 256-bit EC key on an SEC curve (secp256r1) and a self-signed certificate using ECDSA with SHA256. You can use it as an example.
keytool -genkey -keyalg EC -alias "hivemq-ec" -keystore broker-keystore-ec.jks -storetype JKS -storepass changeme -keypass changeme -validity 365 -groupname secp256r1 -sigalg SHA256withECDSA -dname "CN=localhost" -ext san=ip:10.11.0.200
Kind regards,
Diego from HiveMQ Team