MQTT component : don't support TLS 1.2?

Hello,

I want to use the basic component in Node-Red "MQTT IN" and "MQTT OUT" to connect to a RabbitMQ broker securely (TLS 1.2).

I see by analyzing the frames with "Wireshark" that Node-Red communicates in TLS 1.0, which is old. Is there a way to work in TLS 1.2 with Node-Red?

Thank you!

What version of node.js are you using? This isn't something we explicitly set in the node and let the underlying tls layer negotiate with the remote server its connecting to.

I use :
17 Jun 10:59:46 - [info] Node-RED version: v1.0.6
17 Jun 10:59:46 - [info] Node.js version: v12.18.0

And I need to connect to RabbitMQ in TLS 1.2

You're saying we can't force TLS 1.2?

Thanks.

We don't expose any option to force the client to use a particular TLS version. As I understand it, it will negotiate with the server to find a mutually available version.

Looking at the documentation for the node.js tls module, the default minimum TLS version is already set to TLSv1.2 - so it should be using that if both client and server support it.

Have you verified you can create a TLS 1.2 connection to your RabbitMQ server from another client?

We could certainly add some other options to the TLS Config node in node-red, but given the above, I'm not sure it would help.

Thank you for your response.

With Wireshark analyzing the packets I find the following:

  • When I use the "MQTT Explorer" client to test the connection, it works in TLS 1.2

-When then I use Node-Red, Node-RED tries to connect to TLS 1.0

If MQTT Explorer is able to negotiate a TLS 1.2 connection, Node-Red could do so too.

1 Like

Ok - so we know the server supports 1.2.

Given you're using Node 12, which has tls.DEFAULT_MIN_VERSION set to TLS 1.2 already, I don't know why its connecting with 1.0. Based on the node.js docs, I don't think it should be doing that at all -there's no code in the MQTT node that modifies the TLS min version.

So I don't know why it's doing that.

I thought Node-RED was using MQTT.js? Could it be the "bottleneck"?

Could be - node-red locks on to MQTT.js V2.18.8 - thats from 2y ago - current version in NPM is 4.1.0

node-red package.json
"mqtt": "2.18.8",

Not 100% sure that would be the reason for TLS 1.0 though.

EDIT...

Rather than just a throw away comment - I am gonna do a quick test to see what happens (from a compatibility / usability POV) if we force node-red to use V3.0.0 or V4.1.0 - then I'll feedback how to do it for @vp2021 to test if that fixes the TLS neg issue

I seem to remember on a non node-red project I simply replaced MQTT.js without issue.

END EDIT



__(slightly off topic) __

While on the subject of MQTT - would be nice to see some of MQTT v5 goodness in node red - in particular...

  • User Properties
  • Payload Format Indicator & Content Type
  • Response Topic and Request /Response Pattern

... though I have no idea how they would look/fit together in node-red land

3 Likes

Yes, off topic - let's not change the subject, if you want to discuss v5 support in the core please start a new topic. Of course I'm well aware of this (I'm on the MQTT standards technical committee). But so far, no-one has offered to do all the work needed, so it sits in the backlog.

1 Like

I've got news!

I managed to connect to RabbitMQ with the MQTT component of cloud.iO. But there's something weird about it.

My problem is still with Debian10. But last night I tried with Ubuntu 20.04 LTS and managed to connect to the Broker.

Debian 10 :
RED Node: 1.0.6
Node.js: 12.18.0
OpenSSL: 1.1.1g (21.04.2020) (Library: OpenSSL 1.1.1d 10 Sep 2019)

Wireshark on Debian :

Ubuntu 20.04 LTS :
RED Node: 1.0.6
Node.js: 12.18.1
OpenSSL: 1.1.1f (31.03. 2020)

Wireshark on Ubuntu:

I wonder if the version of openSSL on Debian is too old?

Very strange indeed but definitely not the OpenSSL version since TLS 1.2 support was added already in 2012: https://stackoverflow.com/questions/48178052/when-was-tls-1-2-support-added-to-openssl

Maybe some issue with the networking stack or a difference in firewall configuration or Linux kernel version (support for your network interface)?

1 Like

Hi,
I have the solution :
You need to change the minimum version of TLS in the openSSL configuration file :
MinProtocol = TLSv1.0 instead of TLSv1.2

2020-06-19_093413

And restart Node-Red after that.

From now on, the negotiation of the version of TLS used will be done in v1.0, and everything else in 1.2.

Have a nice day!

That's kind of backwards isn't it :-)... If I say I want min 1.2 it fails to negotiate and uses 1.0...

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.