Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [paho-dev] Using for running Paho tests


yep, I agree on the ports: for the test infrastructure, use a set that are well out of the way of the standard ones.

I absolutely agree with you on the subject of weak ciphers - it's much better to direct people in the direction of best security practice by default. This was only for the purpose of the tests, and I'm not that concerned about these particular tests, for the same reasons.

I did set the cipher on the listener, so:

listener 8886
cafile keys/server/ca.crt
certfile keys/server/server.crt
keyfile keys/server/server.key
require_certificate false

but still got:

OpenSSL Error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

No big deal, it's more out of interest really.


On 08/09/2013 05:29 PM, Roger Light wrote:
Hi Ian,

That's great, it makes a lot of sense. Having a separate broker
instance for testing is definitely a good idea as well! We should
probably move the ports the tests use so that they don't use 8883 to
avoid potential future problems if we allow TLS connections on

Mosquitto uses the default ciphers that openssl makes available. You
can see this list with "openssl ciphers -v", or "openssl ciphers -v
'DEFAULT:!aNULL:!eNULL", which is confusingly the set of options that
are used by default.

ADH-DES-CBC-SHA is part of the aNULL (null authentication, as you say)
cipher group so it isn't available by default. You can configure the
available ciphers with the "ciphers" option in the config file, but
you'd also have to argue quite hard to convince me that providing
support for weak anonymous ciphers was a good idea. I'm inclined to
disable more weak ciphers by default, as discussed in this Python bug



On Fri, Aug 9, 2013 at 4:51 PM, Ian Craggs
<icraggs@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi Roger,

Benjamin is happy for us to use to run an MQTT server to run
Paho tests against.  The tests use a variety of SSL configuration on four
ports (currently 8883 to 8886) in addition to 1883.

We could use the same instance of Mosquitto as is running now, or a separate
instance for added stability.   I just imagined that random use of the
sandbox server could interfere with the Paho tests, and that a separate
instance would give us more reliable tests.

What do you think?


P.S.  My SSL C client tests are working against Mosquitto with the exception
of anonymous ciphers (attempting to use ADH-DES-CBC-SHA). Anything special
to consider?

Back to the top