Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] Help with TLS and X25519 EC for key agreement


I think I found the answer in reading some documentation for BearSSL.

mosquitto is configured to require a certificate from each client. This allows it to verify the identity of the client and alleviates the need for user name/password logins for each device. It's quite convenient as there's one less thing to manage.

The authentication process works like this:

  1. Broker (mosquitto) requests and receives a cert from the device.
  2. Broker verifies cert has valid signature from local root CA (root CA file declared is in mosquitto.conf)
  3. Device must prove it has private key for cert, by providing a signature for an implicitly agreed amount of prior TLS traffic.

The problem is step 3. Signing data is not a permitted use of the X25519 key pair, so the device has no way to prove that it has the private key.

I think this might work if mosquitto is configured to NOT require a certificate from each device, but then user name/password logins would be required for security and that's another system management headache. I'm not going to attempt that...not worth the trouble.

On 4/20/2022 12:24 AM, Roger Light wrote:

The easy answer is that I don't know.

More usefully, I would suggest trying to use the "openssl s_client"
and "openssl s_server" tools to reproduce your setup and see if that
works or gives you any more information on why it doesn't work.



On Tue, 19 Apr 2022 at 16:26, aweatherguy <wsdl@xxxxxxxxxx> wrote:
I hope this is the proper mailing list for this issue. I looked for a users list but couldn't find one. Let me know if this belongs elsewhere.

Having a problem trying to use X25519 with mosquitto broker. A client device (Tasmota) has been configured with a certificate that contains an X25519 public key, and an RSA signature. The broker is configured with "cafile" matching the signature on the device certificate.

A Wireshark capture of the initial TLS connection looks okay with Client and Server Hello packets, but I don't have the expertise to do a deep dive into these packets to say for certain that all is okay. However, I do see the device's Client Hello packet advertising the expected cipher suite (ECDHE_RSA_WITH_AES_128_GCM_SHA256), and the expected public key type (X25519).

The Mosquitto broker logs a message "New connection from <ip address> on port 8883".

For some reason the Client-Hello/Server-Hello exchange happens twice, and then Mosquitto prints this error from the OpenSSL library:

    tls_process_cert_verify: signature for non signing certificate

My only guess here is that the error happens because X25519 cannot be used for signing -- only key exchange...but the actual signature on the certificate is an RSA signature from a self-signed root CA that is configured into the broker via "cafile".

Can anyone help me with this? I can provide the broker log text and Wireshark pcap files it that will help any...

mosquitto-dev mailing list
To unsubscribe from this list, visit
mosquitto-dev mailing list
To unsubscribe from this list, visit

Back to the top