Im trying to establisch a mqtt connection to test.mosquitto.org using MQTT.fx.
Im on Windows 10.
Selecting TLSv1.2 as my Protocol works fine.
But using TLSv1.3 the connection fails. "TSLv1.3 SSLContext not available"
Is TLSv1.3 just not jet supported on MQTT.fx?
I could not find anything else regarding that promlem using MQTT.fx.
As of version 1.7.1, MQTT.fx is bundled with JRE 1.8.0_18.
TLSv1.3 is supported from JDK 8u261 (source).
Hence, the used JRE does not support TLSv1.3.
I reported the issue and hope for a quick update.
Related
I have a Syslog Appender which communicates to server on tcp with below configuration. Configured an rsyslog server which is successfully receiving the messages from client. I'm new to this log4j2 and please excuse me if I missed something obvious.
<Syslog name="Connector" format="RFC5424" host="10.10.10.10" port="5822" protocol="TCP" appName="Connector" includeMDC="true" mdcId="mdc" enterpriseNumber="18060" newLine="true" immediateFlush="true" messageId="Audit" id="App" facility="local0">
<SSL>
<TrustStore location="truststore.p12" password="pJAY3nVuG?"/>
</SSL>
</Syslog>
I'm unable to find from documentation etc. on supported TLS versions for this. What's the minimum version it supports and if there is a way we can configure it to use only TLS 1.2+?
Log4j doesn't support any particular version of TLS. It uses a standard Java SSLSocket. So the version of TLS that is supported is controlled by how you configure the JVM. You need to check the relevant documentation, but the default is TLS 1.2 for Java 8 and 11.
I'm running a rest api on Dokku platform. Recently I discovered that Android <5 doesn't support tls 1.1 and 1.2, so I was wondering if I could enable 1.0 on my host (default cert enabled only 1.2).
You'll need to get a certificate from an authority that supports lower than TLS 1.2, though I believe that is a requirement for GDPR.
I'm struggling to run Jenkins 2.91 (RPM version) using its embedded mode on Centos 7.2 with OpenJDK (1.8.0_65)
However I'm getting the "ssl_error_no_cypher_overlap" error when I connect with Firefox 38.1.0 over HTTPS
This problem does not occur when running Jenkins with Oracle JDK 1.8.0_144, only with OpenJDK.
I've tried various options such as the following without success
JENKINS_JAVA_OPTIONS="-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2"
I came across bug 1167153, however the fix of applying jdk.tls.disabledAlgorithms=EC,ECDHE,ECDH already appears to be in place in /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.65-3.b17.el7.x86_64/jre/lib/security/java.security.
I've also tried using openssl to see what protocols are reported
openssl s_client -connect localhost:8443
>>>
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
I enabled logging using -Djavax.net.debug=ssl,handshake however this meant another fault was reported - ssl internal error - apparently due to bug - NoSuchAlgorithmException: EC AlgorithmParameters not available if SSL logs enabled
I managed to resolve this by installing bouncycastle. It seems OpenJDK doesn't ship with a ECC provider.
Download a bouncycastle provider from https://www.bouncycastle.org/latest_releases.html. e.g bcprov-ext-jdk15on-158.jar
Copy into /usr/lib/jvm/java-1.8.0-openjdk-<version>/jre/lib/ext
Add a provider to the end of the list in /usr/lib/jvm/java-1.8.0-openjdk-<version>/jre/lib/security/java.security
security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider
Re-enabled ECC algorithms, line previously ended: , EC, ECDHE, ECDH
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
Restart jenkins
I have an app that connects to Apache server with SNI enabled to support several Virtualhosts
In iOS 7.1.1 and older iOs versions the connection fails with this visible error in Apache (when in debug mode):
Apache-Error: [file "ssl_engine_kernel.c"] [line 512] [level 7] Changed client verification type will force renegotiation
Apache-Error: [file "/builddir/build/BUILD/httpd-2.2.15/modules/ssl/ssl_engine_kernel.c"] [line 542] [level 6] Non-default virtual host with SSLVerify set to 'require' and VirtualHost-specific CA certificate list is only available to clients with TLS server name indication (SNI) support
it works instead when SNI is disabled in Apache, the correct virtualhost is the default or iOS version >= 8 is used.
The question is: Is in iOS SNI ON by default? It looks like yes on iOS >= 8.0 and no in <8.
If it is not on by default in old iOS versions (is what looks like), anyone knows how to force SNI sending?
Thanks in advance
I have a standalone (EXE) DataSnap server written in Delphi XE6 which I've secured with an SSL certificate using the OpenSSL DLLs. When I test the connection to the server I can see that it supports TLS v1.0. I now need to ensure the server can support TLS v1.2 (e.g. to support connections from iOS9 apps). However I can't see how to enable this. I've made the Windows registry changes to the (Windows 2008R2) server to enable TLS v1.2 but I guess this only affects IIS apps.
Can anybody show me how to enable TLS v1.2 within the Windows OpenSSL DLLs? I'm using version 1.0.2d of the DLLs. Or is there something within the DataSnap server component properties that needs to be changed?