← Back to team overview

mosquitto-users team mailing list archive

Specific cipher usage with Mosquitto Broker

 

Hi,

I was trying to use a specific cipher (ECDHE-ECDSA family) with the broker (you need elliptic curve certificates to be able to use it). Unfortunately, Mosquitto does not support it by default because it needs specific SSL Context initialization. Otherwise, OpenSSL will return a "no shared cipher" error.
Basically, I have succeeded to use this cipher by adding the following piece of code in the net.c file around line 400 (mosquitto 1.2.3):

EC_KEY *ecdh = NULL;
ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if(ecdh == NULL){
_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "unable to create curve (nistp256)");
}else{
SSL_CTX_set_tmp_ecdh(listener->ssl_ctx, ecdh);
}
EC_KEY_free(ecdh);

Elliptic Curve cryptography is a great alternative to RSA in term of performance with at least the same level of security. Having Mosquitto able to support it would be great. By using a #ifdef would allow a minimal support to it. An even better solution would be to let the user customize each listener through the Mosquitto plugin.

Best regards,

Remi


Follow ups