← Back to team overview

mosquitto-users team mailing list archive

Re: Specific cipher usage with Mosquitto Broker

 

Hi Remi,

As it happens I looked at exactly this a month or so ago, It's nice
that it's so easy to enable forward security. I hadn't actually added
the option to mosquitto because I've been having a bit of a break
recently - partially down to knowing that I need to prepare the source
for submission to Eclipse. It's on my todo list though, so will
definitely get done.

Cheers,

Roger

On Tue, Dec 17, 2013 at 11:20 AM, Remi SALEMBIER <remi.salembier@xxxxxxx> wrote:
> Hi,
>
>
>
> I was trying to use a specific cipher (ECDHE-ECDSA family) with the broker
> (you need elliptic curve certificates to be able to use it). Unfortunately,
> Mosquitto does not support it by default because it needs specific SSL
> Context initialization. Otherwise, OpenSSL will return a “no shared cipher”
> error.
>
> Basically, I have succeeded to use this cipher by adding the following piece
> of code in the net.c file around line 400 (mosquitto 1.2.3):
>
>
>
> EC_KEY *ecdh = NULL;
>
> ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
>
> if(ecdh == NULL){
>
> _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "unable to create curve
> (nistp256)");
>
> }else{
>
> SSL_CTX_set_tmp_ecdh(listener->ssl_ctx, ecdh);
>
> }
>
> EC_KEY_free(ecdh);
>
>
>
> Elliptic Curve cryptography is a great alternative to RSA in term of
> performance with at least the same level of security. Having Mosquitto able
> to support it would be great. By using a #ifdef would allow a minimal
> support to it. An even better solution would be to let the user customize
> each listener through the Mosquitto plugin.
>
>
>
> Best regards,
>
>
>
> Remi
>
>
>
>
> --
> Mailing list: https://launchpad.net/~mosquitto-users
> Post to     : mosquitto-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~mosquitto-users
> More help   : https://help.launchpad.net/ListHelp
>


References