Possible insecure signature algorithm in TLS Key Exchange

Hi there,
Running Test SSL (GitHub - drwetter/testssl.sh: Testing TLS/SSL encryption anywhere on any port) on a HiveMQ Broker I noticed that between the TLS 1.2 signature algorithms offered RSA+SHA1 is detected. I was able to confirm this with Wireshark:


The only way I was able to make this go away was to disable TLS 1.2 completely, but that’s not really an option for me at the moment.
I tried playing with the Java jdk.tls.disabledAlgorithms options without success.

My current listener configuration looks like this:

              <listeners>
                  <tls-tcp-listener>
                      <port>8883</port>
                      <bind-address>0.0.0.0</bind-address>
                      <tls>
                          <protocols>
                              <protocol>TLSv1.2</protocol>
                              <protocol>TLSv1.3</protocol>
                          </protocols>
                          <cipher-suites>
                              <cipher-suite>TLS_AES_256_GCM_SHA384</cipher-suite>
                              <cipher-suite>TLS_AES_128_GCM_SHA256</cipher-suite>
                              <cipher-suite>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</cipher-suite>
                              <cipher-suite>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</cipher-suite>
                              <cipher-suite>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</cipher-suite>
                              <cipher-suite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</cipher-suite>
                          </cipher-suites>
                          <prefer-server-cipher-suites>true</prefer-server-cipher-suites>
                          <keystore>
                              <path>conf/server-keystore.jks</path>
                              <password>**********</password>
                              <private-key-password>**********</private-key-password>
                          </keystore>
                          <client-authentication-mode>REQUIRED</client-authentication-mode>
                          <truststore>
                                  <path>conf/server-truststore.jks</path>
                                  <password>**********</password>
                          </truststore>
                      </tls>
                  </tls-tcp-listener>
              </listeners>

Any idea how to overcome this?
Any help is kindly appreciated.

This is a screenshot from the testssl output, since I am only allowed to embed one image per post:

Hello @Alejandro_M

Welcome to the HiveMQ Community! I have tested the same config parameters you provided and got different results.

Please note the specific JDK that is being used can impact which TLS signature algorithms offered.

java --version
openjdk 11.0.19 2023-04-18
OpenJDK Runtime Environment Temurin-11.0.19+7 (build 11.0.19+7)
OpenJDK 64-Bit Server VM Temurin-11.0.19+7 (build 11.0.19+7, mixed mode)

Kind regards,
Diego from HiveMQ Team

Hi @Diego , thank you for your reply. You left out the important line out of the screenshot though :grin:. That would be the one starting with TLS 1.2 sig_algs offered:. Could you post your results with that line too? The part of the screenshot you shared looks the same as in mine.

I’m using the official Docker image hivemq/hivemq-ce:2024.6, so it will be the java version offered there which would be:

$ docker run --rm hivemq/hivemq-ce:2024.6 java --version
openjdk 21.0.3 2024-04-16 LTS
OpenJDK Runtime Environment Temurin-21.0.3+9 (build 21.0.3+9-LTS)
OpenJDK 64-Bit Server VM Temurin-21.0.3+9 (build 21.0.3+9-LTS, mixed mode, sharing)

Looking forwards to your feedback!

Hi @Alejandro_M

You’re welcome! Now I can see sig_algs offered section on my test.

This is explained by one of testssl.sh developers on this link Why is RSA+SHA1 in the "TLS 1.2 sig.algs offered" list · Issue #2495 · drwetter/testssl.sh · GitHub

Kind regards,
Diego from HiveMQ Team

Hi @Diego,
thank you. That is a good explanation of why it is not a bug in testssl that this warning is shown (i.e. the information is relevant) and also a good source is provided to better understand how cipher suites names are generated.
It however provides no argument as to why this warning may be ignored. I am still very much interested in finding a way to stop the HiveMQ broker to provide support for RSA+SHA1, which is insecure. Do you have an idea how may this be accomplished? I tried modifying the Java options on the HiveMQ Broker with -Djdk.tls.disabledAlgorithms="SHA1" and other combinations, but had no success.
Many thanks again for the support.

@Alejandro_M

I didn’t get you since as far as I understand you will not generate certificates that use the SHA1withRSA signature algorithm but after conducting several tests, I discovered that you can achieve your goal by specifying the appropriate Signature Schemes that can be used over the TLS protocol.

-Djdk.tls.server.SignatureSchemes=rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pss_rsae_sha256,rsa_pss_rsae_sha384 -Djavax.net.ssl.SSLParameters.setSignatureSchemes=rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pss_rsae_sha256,rsa_pss_rsae_sha384

You can find the list of Signature Schemes available at Java Security Standard Algorithm Names

Please ensure that you evaluate the proposed solution within the context of your own risks and assumptions, as I have not conducted extensive testing on it.

Kind regards,
Diego from HiveMQ Team