How to get the cipher suite being used in HiveMQ Client?

Question

I configured the HiveMQ server to recognize TLS and created a TLS communication. I'd like to print out the cipher suites being used. I've used the getSslConfig() but I end up getting this as an output:

Optional[com.hivemq.client.internal.mqtt.MqttClientSslConfigImpl@2710]

I'm aware there is a getCipherSuites() method in MqttClientSslConfig.java but I haven't been able to find a way to use it. As a follow up how would I specify a particular cipher suite be used? So far I've just been using the default one like so:

Code (How to specify a particular cipher suite?):

Mqtt5BlockingClient subscriber = Mqtt5Client.builder()
        .identifier(UUID.randomUUID().toString()) // the unique identifier of the MQTT client. The ID is randomly generated between 
        .serverHost("localhost")  // the host name or IP address of the MQTT server. Kept it localhost for testing. localhost is default if not specified.
        .serverPort(8883)  // specifies the port of the server
        .addConnectedListener(context -> ClientConnectionRetreiver.printConnected("Subscriber1"))        // prints a string that the client is connected
        .addDisconnectedListener(context -> ClientConnectionRetreiver.printDisconnected("Subscriber1"))  // prints a string that the client is disconnected
        .sslWithDefaultConfig()  // << How can I specify a particular cipher suite?
        .buildBlocking();  // creates the client builder

Code (How I've been trying to get the SSL config) :

Mqtt5ClientConfig clientConfig = client.getConfig();
System.out.println(" Ssl Configuration: " + clientConfig.getSslConfig());

score 1 · Accepted Answer · answered Jul 01 '19 at 19:37

1

You can configure a specific cipher suite like so:

Mqtt5Client.builder()
        ...
        .sslConfig()
            .cipherSuites(Arrays.asList("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"))
            .applySslConfig()
        ...

getSslConfig returns an Optional. So to get the cipher suites:

client.getConfig().getSslConfig().get().getCipherSuites()

answered Jul 01 '19 at 19:37

SgtSilvio

476
2
5

I'm getting a "Server closed connection without DISCONNECT" when trying to use: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256. I've tried TLSv1.1, TLSv1.2, TLSv1.3 and none work. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 works but only on TLSv1.2 strangely. "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" gives me a Received fatal alert: handshake_failure" error instead on TLSv1.2 but a "Server closed connection without DISCONNECT" on TLSv1.3. I've manually configured the config.xml to specify the version. – Chigozie A. Jul 02 '19 at 14:00
Do I need to set the .keyManagerFactory() and .trustManagerFactory() with .sslConfig() for this to work properly? – Chigozie A. Jul 02 '19 at 14:08
Both cipher suites you mentioned only exist in TLSv1.2, so it is expected that they only work with TLSv1.2. See the following links: https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256/ https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256/ – SgtSilvio Jul 02 '19 at 20:42
That cleared things up a bit although I am still getting a `Received fatal alert: handshake_failure` on TLSv1.2 with `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` but it works with `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` with TLSv1.2 (so **both** are on TLS1.2) which is odd. I've already troubleshooted and did things like adding the certificate of the server in the cacerts file. I'm starting to suspect there is some problem with a cipher suite compatibility issue somewhere. – Chigozie A. Jul 02 '19 at 21:15
to your other question: the used cipher suite has to match your server configuration. How did you create the server certificates? Did you sign with RSA or ECDSA? – SgtSilvio Jul 02 '19 at 21:19
I signed with RSA (with SHA256). I'm actually interested in using TLS1.3 (I was using TLS1.2 just as a test). I'd like to use `TLS_AES_128_GCM_SHA256` which is a TLS1.3 suite. Would the syntax be `.cipherSuites(Arrays.asList("TLS_AES_128_GCM_SHA256"))`. Would that work in HiveMQ? – Chigozie A. Jul 02 '19 at 21:19
2

This looks right. Keep in mind that you have to use Java 11+ if you want to use TLS 1.3. – SgtSilvio Jul 03 '19 at 10:50
Ok, my project is already in Java 11 so that will be fine. Since you said that the certificate and cipher suites that are being used have to match, I assume I will have to generate a new key pair (EC and not RSA this time) that's compatible with TLS1.3. Then generate a certificate for that key pair and put it in the cacerts file again. – Chigozie A. Jul 03 '19 at 13:13
I created a new certificate for the key pair and generated it using secp256r1 (compatible with TLS.1.3) but it I'm getting an: Exception in thread "SubThread1" com.hivemq.client.mqtt.exceptions.ConnectionClosedException: Server closed connection without DISCONNECT. on Java 11. I marked your question as solved since my original question was different and answered. I posted a new question here: https://stackoverflow.com/questions/56904682/how-to-properly-use-tls-1-3-cipher-suites-in-hivemq-getting-a-no-appropriate-p – Chigozie A. Jul 05 '19 at 14:15

How to get the cipher suite being used in HiveMQ Client?

1 Answers1