mosquitto icon indicating copy to clipboard operation
mosquitto copied to clipboard
verified publisher icon eclipse

Connection to broker over tls 1.3 fails - no common algorithm/ no shared cipher

Open grzegorzkloc opened this issue 4 years ago • 4 comments

I cannot connect to the broker from a C# app (Net framework 4.6.2 using MQTT NET nuget, windows 10) I am using mosquitto version 2.0.10). On the broker side I have the ca.crt, server.crt and server.key. The app just uses the ca.crt

Broker configuration is as follows:

acl_file ./configs/acl.acl
password_file ./configs/pwfile
allow_anonymous false
listener 8883
cafile ./certs/ca.crt
certfile ./certs/server.crt
keyfile ./certs/server.key
tls_version tlsv1.3

I keep getting the same exception over and over: "The client and server cannot communicate, because they do not possess a common algorithm". If I change the tls version to 1.2 I am still getting the exception. However the sense is the same, no common cipher.

When I track the connection using Wireshark I can clearly see that within client hello the app offers the following cipher suites: Cipher Suites (21 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

However the response is always the same: "Description: Handshake Failure (40)".

I find it hard to believe that mosquitto does not use any of the above ciphers. What am I doing wrong? Any guidance would be greatly appreciated.

Thank you in advance.

grzegorzkloc avatar Apr 24 '21 16:04 grzegorzkloc

can you solve?

sertunc avatar Sep 17 '22 23:09 sertunc

I could not solve it. That is why I had to downgrade to TLS 1.2

grzegorzkloc avatar Sep 19 '22 12:09 grzegorzkloc

I could not solve it. That is why I had to downgrade to TLS 1.2

https://stackoverflow.com/questions/73759195/c-sharp-ssl-routinestls-post-process-client-hellono-shared-cipher

this is my problem. can you give me any advice? because i am burn out. thank you

sertunc avatar Sep 20 '22 07:09 sertunc

I posted a few hints in your stack question. I hope they will guide you in the right direction.

grzegorzkloc avatar Sep 20 '22 13:09 grzegorzkloc

I posted a few hints in your stack question. I hope they will guide you in the right direction.

we run our code on macos monterey version 12.6.Thank you to everyone who is interested.

sertunc avatar Sep 28 '22 14:09 sertunc