paho.mqtt.c icon indicating copy to clipboard operation
paho.mqtt.c copied to clipboard
verified publisher icon eclipse

Adding TLS1.3 Compatibility

Open jaykishanmutkawoa opened this issue 8 years ago • 8 comments

Signed-off-by: Jaykishan Mutkawoa [email protected]

jaykishanmutkawoa avatar Mar 20 '18 18:03 jaykishanmutkawoa

Patch created during the IETF 101 Hackathon togather with Nigel Yong - [email protected]

jaykishanmutkawoa avatar Mar 20 '18 18:03 jaykishanmutkawoa

Hello @icraggs , I already signed the agreement as asked in https://github.com/eclipse/paho.mqtt.c/pull/428 Can you have a look please ?

jaykishanmutkawoa avatar Apr 03 '18 13:04 jaykishanmutkawoa

There's no test, so I'd like to know out of interest, did you try out this change and have it working?

icraggs avatar Apr 16 '18 15:04 icraggs

@icraggs We tested it. See this link https://github.com/eclipse/paho.mqtt.c/pull/428/commits/0bbddd1d499274c7ff7213863280b9a84540be30

jaykishanmutkawoa avatar Apr 16 '18 16:04 jaykishanmutkawoa

Ok, I was just wondering how I could test it, so that a test could be added to the automated suite. Is there some particular Mosquitto configuration for instance? The test broker I am using is written in Python, so Python configuration would also be good.

icraggs avatar Apr 18 '18 09:04 icraggs

IMHO this PR will default to accept TLS 1.3 brokers only, as the min and max protocol versions are both fixed to TLS_VERSION1_3, independent of the settings in sslVersion and for all sockets.

mtrensch avatar Jan 29 '21 09:01 mtrensch

For running your internal tests using https://github.com/eclipse/paho.mqtt.testing.git you will need to add TLS 1.3 to the broker by changing SSLContext in "interoperability/mqtt/brokers/listeners/TCPListeners.py" as follows

diff --git a/interoperability/mqtt/brokers/listeners/TCPListeners.py b/interoperability/mqtt/brokers/listeners/TCPListeners.py
index 4d9f237..7bc2f2a 100644
--- a/interoperability/mqtt/brokers/listeners/TCPListeners.py
+++ b/interoperability/mqtt/brokers/listeners/TCPListeners.py
@@ -249,7 +249,7 @@ def create(port, host="", TLS=False, serve_forever=False,
     bind_address = host
   server = ThreadingTCPServer((bind_address, port), WebSocketTCPHandler, False)
   if TLS:
-    context = ssl.SSLContext(protocol=ssl.PROTOCOL_TLSv1_2)
+    context = ssl.SSLContext(protocol=ssl.PROTOCOL_TLS)
     try:
       context.set_ciphers('ALL:@SECLEVEL=1') # until we have seclevel 2 TLS config
     except:

NOTE: Debian buster (what I am using) seems to have disabled TLS 1.0 and 1.1, thus the broker will only run with TLS 1.2+ clients. See https://bugs.python.org/issue31453

I messed around in the code a little to also provide a test case, but I don't like it, as I needed to introduce an API function to get the used TLS Version (I don't know of any other way how to acquire this information). See https://github.com/mtrensch/paho.mqtt.c/commit/52b5aee82e9b80e20f96ddaa194768388572ea4f

BTW I think when using openssl 1.1+ the defaults are already used and TLS 1.3 is established, as TLS_version_method() is then used: https://github.com/eclipse/paho.mqtt.c/blob/64a5ff3c3b71fe019353aeacaebc66a3cf4f3461/src/SSLSocket.c#L554 But at current time you cannot force TLS version being used, but accept all supported TLS versions by openssl

mtrensch avatar Jan 29 '21 09:01 mtrensch