I am using WolfSSL on an embedded device and am trying to connect to an Azure EventGrid MQTT broker. The Client Hello message from the device is ignored by the server, which responds with a TCP RST packet. The Client Hello includes the following ciphers: As well as the following signature algorithms: Finally, I am also including the SNI, which matches that of a successful connection from openSSL s_client. Is there some requirement that the TLS implementation is missing? Just to be clear, these are the only extensions being used:

@Daniel Hadlow Thanks for your patience! MQTT broker requires, TLS-1.2, client certificate cypher-suits: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384 cyphers: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384. could you please share the client's broker name to verify logs?

What TLS extensions/ciphers are required for WolfSSL to connect to Azure EventGrid from an embedded platform?

Daniel Hadlow 5

I am using WolfSSL on an embedded device and am trying to connect to an Azure EventGrid MQTT broker. The Client Hello message from the device is ignored by the server, which responds with a TCP RST packet. The Client Hello includes the following ciphers:

User's image

As well as the following signature algorithms:

User's image

Finally, I am also including the SNI, which matches that of a successful connection from openSSL s_client.

Is there some requirement that the TLS implementation is missing?

Just to be clear, these are the only extensions being used:

User's image

JananiRamesh-MSFT 21,246 Reputation points

2024-03-07T02:29:07.6766667+00:00

@Daniel Hadlow Thanks for reaching out. Looking into it will get back to you shortly.
JananiRamesh-MSFT 21,246 Reputation points

2024-03-11T11:31:43.3266667+00:00

@Daniel Hadlow Just a follow up to my previous comment and see if you can share the requested info. That would help in assisting you better
Olaf Wrieden 1 Reputation point Microsoft Employee

2024-03-13T12:36:54.4166667+00:00
@JananiRamesh-MSFT I’m facing similar issues where the cypher suites you shared above don’t allow my embedded device’s modem to authenticate with the Event Grid MQTT broker during the handshake. There’s documentation (for IoT Hub, is there an Event Grid MQTT equivalent?) stating to exclude RSA cypher suites, however the modem only supports the following:

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_RC4_128_MD5

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA256

Is there any way to get a modem supporting these cypher suites to successfully connect to Event Grid MQTT broker or plans to support these RSA cypher suites in the future given it’s a standard for many embedded systems today?
JananiRamesh-MSFT 21,246 Reputation points

2024-03-20T06:47:54.66+00:00

Olaf Wrieden Thanks for reaching out. You're right! that's a current gap in documentation that we will add similar to hub's docs.

Regarding the question around the possibility to support these cypher suites, discussing with Product group team we'll get back to you with an update.
Olaf Wrieden 1 Reputation point Microsoft Employee

2024-04-13T07:28:29.22+00:00

@JananiRamesh-MSFT is there an update on when some of the RSA based ciphersuites in my previous comment will be supported? It would open Event Grid MQTT to more existing embedded system modems. IoT Hub with MQTT is very limited and now recommends Event Grid for this workload instead - but the difference in ciphersuites doesn’t make this possible.

1 answer

JananiRamesh-MSFT 21,246 Reputation points

2024-03-08T03:06:11.4733333+00:00
@Daniel Hadlow Thanks for your patience! MQTT broker requires, TLS-1.2, client certificate

cypher-suits: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384

cyphers: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384.

could you please share the client's broker name to verify logs?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment