valentindimov
commented
4 years ago What are "example" and "test" in your call?
TLS 1.3 cipher suites work differently from TLS 1.2. As far as I've been able to test, Mosquitto's "ciphers" option only understands TLS 1.2 suites. That is, anything you write there will only affect TLS 1.2 cipher suites, but not those for TLS 1.3.
One way around this is to code your client to only offer the one cipher suite you want. With Mosquitto's client library, you can use the OpenSSL API directly to create a SSL_CTX set to only offer the one suite you need, using the SSL_CTX_set_ciphersuites() call. Then, you can use the MOSQ_OPT_SSL_CTX or MOSQ_OPT_SSL_CTX_WITH_DEFAULTS options to tell the library to use your SSL_CTX instead of creating its own. It's not pretty, but it's worked for me.
Mosquitto client library API: https://mosquitto.org/api/files/mosquitto-h.html SSL_CTX_set_ciphersuites(): https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html
Good morning,
when trying to connect with tls1.3 both the broker and the client (mosquitto_pub) are ignoring the "ciphers" keyword and always using TLS_AES_256_GCM_SHA384 even if other ciphers (or any random string such as "test") are specified.
Component: mosquitto 1.6.2 (latest) and mosquitto_pub 1.6.2 (latest) OS: Linux (Ubuntu 18.10) openssl version(broker): 1.1.1 (11 Sep 2018) openssl verision(client): 1.1.1b (26 Feb 2019)
Client string: -> mosquitto_pub -h 127.0.0.1 -t "test" -p 8883 -i "Client1" -u Client1 -m "message" --cafile ca.pem --cert client.crt --key client.key --tls-version tlsv1.3 --ciphers example --insecure
########################### listener 8883
allow_anonymous false
cafile cert/ca.pem certfile cert/server.crt keyfile cert/server.key tls_version tlsv1.3 ciphers test
log_type all log_dest stdout ############################