-
Notifications
You must be signed in to change notification settings - Fork 5.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How does one control cipher suites over MQTTS? #10217
Comments
This issue is kinda the reverse of #1469, which was closed as completed without any indication provided as to what was actually changed. Basically, the root of the issue is that in testing, a lot of MCU SSL libraries--and cell modem chips--cannot successfully connect to TBMQ via MQTTS (whether due to bugs or otherwise). The main difference appears to be that--presumably as a result of #1469--TBMQ now only provides elliptic-curve ciphers. While this is "more secure", if it renders certain hardware completely unable to utilize MQTTS, the only remaining option is to drop all security and use an unsecured MQTT connection! Somewhat curiously, the "demo.thingsboard.io" server does not provide an MQTTS port--so I am unable to determine if this difficulty exists in Thingsboard PE. Yes, I agree that the problem likely lies in the client TLS firmware--but that can unfortunately be a fatal problem only solvable on the server side (i.e. TBMQ). At least in my case, a SIM70x0 modem cannot connect to a TBMQ server via MQTTS--and thus far my requests to Simcom for delta firmware updates have been completely ignored. In other tests, most of the SSL/TLS libraries for the ESP32 also fail connecting to TBMQ: only one specific wrapper library around mbedTLS can successfully connect to TBMQ. (All the rest fail at the CA cert verification, and do not even get to the client cert.) It is worth noting that PC tools (MQTTX appimage, mosquito_pub, and Paho MQTT via Python) all can successfully connect to TBMQ--but the goal of TBMQ isn't necessarily "networking computers" as much as "connecting IoT devices"! Here is nmap on "test.mosquitto.org:8884":
An nmap scan on TBMQ (self-hosted Thingsboard CE) meanwhile returns the following:
Only EC ciphers are present on TLSv1.2 (note that most "MCU-scale" TLS libraries do not yet support TLSv1.3. If I could get a firmware update for the SIM7080G modem, it'd support TLSv1.3--but that has not been possible to get.) So yes...how do we control what cipher suites are offered via MQTTS on TBMQ? |
Hi @kazetsukaimiko @WebDust21 ! |
The main goal of this feature would be to allowing control over the TBMQ TLS configuration during deployment of Thingsboard, without requiring in-the-field source code modification of Thingsboard and complete recompilation for deployment. Ideally this would be a system environment variable (global scope in the deployment). |
As @WebDust21 mentions (we are collaborating on a project), some IoT devices with modems use hardware built-in MQTT(s) functionality, offloading the MQTT + TLS overhead to the modem. It is not easy to select a cipher set on some of these clients because the support is in the modem's firmware binaries, and sometimes (as we have found) these firmware implementations can be buggy with certain ciphers. It would help us if we could define the cipher set TB side, so that we can choose the most compatible cipherset to our devices (and eliminate ones with bad client side implementations). Also as @WebDust21 mentioned, forward-thinkers can use this same functionality to choose only the most restrictive and secure cipher sets when they really want a locked down configuration. In our case, our modems would connect to test.mosquitto.org just fine, but not to TB, using two-way SSL. TB advertises EC-based keys and ciphers only, mosquitto accepts RSA 2048 keys / ciphers. We were banging our heads against this wall for about two weeks trying to get TB to behave as desired using JSSE configuration without success. I went as far as to modify / upgrade the JDK to 17 in the We eventually moved from hardware/modem MQTT / TLS client to adding software layers, abandoning the modem functionality and now we're able to connect, but at a large performance penalty as we don't have hardware accelerated cryptography anymore. I think this would best be an MQTTS_ environment option, expecting a comma-delimited list of ciphers from the same JDK / JSSE documentation you refer others to. When not passed, it would fallback to all supported cipher suites as you currently do. I thought of opening a PR, but as you use field injection and not constructor injection it was difficult to write mock-based unit tests that could be used to verify my fixes prior to any kind of deployment. |
Component
MQTT over TLS
Description
How do I control the cipher suites (NOT the TLS version) used for MQTTS? In MqttSslHandlerProvider, I see:
Using JSSE JVM arguments like
-Djdk.tls.server.cipherSuites
does not seem to change anything.Environment
The text was updated successfully, but these errors were encountered: