|Re: [paho-dev] Using m2m.eclipse.org for running Paho tests|
Roger,yep, I agree on the ports: for the test infrastructure, use a set that are well out of the way of the standard ones.
I absolutely agree with you on the subject of weak ciphers - it's much better to direct people in the direction of best security practice by default. This was only for the purpose of the tests, and I'm not that concerned about these particular tests, for the same reasons.
I did set the cipher on the listener, so: listener 8886 cafile keys/server/ca.crt certfile keys/server/server.crt keyfile keys/server/server.key require_certificate false ciphers ADH-DES-CBC-SHA but still got:OpenSSL Error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
No big deal, it's more out of interest really. Ian On 08/09/2013 05:29 PM, Roger Light wrote:
Hi Ian, That's great, it makes a lot of sense. Having a separate broker instance for testing is definitely a good idea as well! We should probably move the ports the tests use so that they don't use 8883 to avoid potential future problems if we allow TLS connections on m2m.eclipse.org. Mosquitto uses the default ciphers that openssl makes available. You can see this list with "openssl ciphers -v", or "openssl ciphers -v 'DEFAULT:!aNULL:!eNULL", which is confusingly the set of options that are used by default. ADH-DES-CBC-SHA is part of the aNULL (null authentication, as you say) cipher group so it isn't available by default. You can configure the available ciphers with the "ciphers" option in the config file, but you'd also have to argue quite hard to convince me that providing support for weak anonymous ciphers was a good idea. I'm inclined to disable more weak ciphers by default, as discussed in this Python bug report: http://bugs.python.org/issue13636 Cheers, Roger On Fri, Aug 9, 2013 at 4:51 PM, Ian Craggs <icraggs@xxxxxxxxxxxxxxxxxxxxxxx> wrote:Hi Roger, Benjamin is happy for us to use m2m.eclipse.org to run an MQTT server to run Paho tests against. The tests use a variety of SSL configuration on four ports (currently 8883 to 8886) in addition to 1883. We could use the same instance of Mosquitto as is running now, or a separate instance for added stability. I just imagined that random use of the sandbox server could interfere with the Paho tests, and that a separate instance would give us more reliable tests. What do you think? Ian P.S. My SSL C client tests are working against Mosquitto with the exception of anonymous ciphers (attempting to use ADH-DES-CBC-SHA). Anything special to consider?
Back to the top