TLS 1.3 The client and server communicate Exception

HiveMQ Community Edition
1

Exception:

TLS 1.3 The client and server cannot communicate because they do not possess a common algorithm.

Broker : Hivemq
TLSVersion : 1.3

Add Config in broker for tls 1.3

<protocols> <protocol>TLSv1.3</protocol> <protocol>TLSv1.2</protocol> </protocols> <cipher-suites> <cipher-suite>TLS_AES_128_GCM_SHA256</cipher-suite> <cipher-suite>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</cipher-suite> <cipher-suite>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</cipher-suite> <cipher-suite>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</cipher-suite> <cipher-suite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</cipher-suite> <cipher-suite>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</cipher-suite> <cipher-suite>TLS_RSA_WITH_AES_128_GCM_SHA256</cipher-suite> <cipher-suite>TLS_RSA_WITH_AES_128_CBC_SHA</cipher-suite> <cipher-suite>TLS_RSA_WITH_AES_256_CBC_SHA</cipher-suite> </cipher-suites>

How can we resolve above error ?

Thanks
Rahul

2

Hi @Rahul,

possess a common algorithm

You have to make sure the client also knows at least one of the cipher suites you configured on the broker side.

Greetings,
Michael from the HiveMQ team

3

Hi @michael_w ,

Thanks for responding !

Do we have any specific way to configured the cipher suite ( I’m using c# mqttnet based client)?

Thanks,
Rahul

4

Hi @Rahul,

I’m not sure this works with this client. I checked their repo and didn’t find a mention of cipher suites and also the WithTls() doesn’t seem to have the option to set the cipher suites.

TLS example from their connection samples:

   public static async Task Connect_Client_With_TLS_Encryption()
    {
        /*
         * This sample creates a simple MQTT client and connects to a public broker with enabled TLS encryption.
         * 
         * This is a modified version of the sample _Connect_Client_! See other sample for more details.
         */

        var mqttFactory = new MqttFactory();

        using (var mqttClient = mqttFactory.CreateMqttClient())
        {
            var mqttClientOptions = new MqttClientOptionsBuilder().WithTcpServer("test.mosquitto.org", 8883)
                .WithTls(
                    o =>
                    {
                        o.SslProtocol = SslProtocols.Tls12; // The default value is determined by the OS. Set manually to force version.
                    })
                .Build();

            // In MQTTv5 the response contains much more information.
            var response = await mqttClient.ConnectAsync(mqttClientOptions, CancellationToken.None);

            Console.WriteLine("The MQTT client is connected.");

            response.DumpToConsole();
        }
    }

A workaround, I can think of at the spot, would be to find out what cipher suites the client supports and then add one of them to the broker cipher suites.
You can find out what cipher suites the client support by running your current code again but monitor the traffic between client and broker with Wireshark, the “Client Hello” of the client contains the supported cipher suites of the client.

Greetings,
Michael

1 Like
5

@michael_w

This is the great the suggestion, We have not found any implementation of cipher suite in mqttnet library.

Now we have stuck this place.

Greetings,
Rahul

6

As I said, the workaround would be to add one of the client-side supported cipher suites to the broker config.