Hello,
Secure communication between clients & brokers using certificates with TLS/SSL work fine as we know
But how can I find information of what version of TLS is actually used for a specific connection?
In the mosquitto log file, the broker running in a RPi, I don't see this information and I do not see it in Node-RED either
1564491551: mosquitto version 1.6.3 starting
1564491551: Config loaded from /etc/mosquitto/mosquitto.conf.
1564491551: Opening ipv4 listen socket on port 8883.
1564491551: Opening ipv6 listen socket on port 8883.
1564491551: Opening ipv4 listen socket on port 1883.
1564491551: Opening ipv6 listen socket on port 1883.
1564491552: New connection from 192.168.0.155 on port 1883.
1564491552: New client connected from 192.168.0.155 as 518776448999 (p2, c1, k60, u'username').
1564491565: New connection from 192.168.0.241 on port 8883.
1564491565: New client connected from 192.168.0.241 as mqtt_ffbefcf6.e8c3d (p1, c1, k60).
1564491576: New connection from 192.168.0.155 on port 8883.
1564491576: Client 518776448999 already connected, closing old connection.
1564491576: New client connected from 192.168.0.155 as 518776448999 (p2, c1, k60, u'username').
1564493351: Saving in-memory database to /var/lib/mosquitto/mosquitto.db.
Thank you, my concern is that if the broker supports the 1.3, I want to be sure that NR is using this as well. If this cannot be verified, how to be sure?
The default cipher suite included within Node.js has been carefully selected to reflect current security best practices and risk mitigation.
And the Node 12.x docs also say:
Despite the relative order of TLSv1.3 and TLSv1.2 cipher suites, the TLSv1.3 protocol is significantly more secure than TLSv1.2, and will always be chosen over TLSv1.2 if the handshake indicates it is supported, and if any TLSv1.3 cipher suites are enabled.
We don't routinely test against 12 currently and it isn't our recommended version. There were some issues with third party modules not building properly on 12 - but I've not checked recently to see what it stands.
Alright, fine, thanks
For the moment, will stick to what I have running. The broker 1.6.3 is at least supporting TLS v1.3. To be available for later...
In general the latest version will be preferred by most clients and if 1.3 is supported, 1.2 certainly will be (and is). I didn't mention Node 12 since it isn't yet fully supported in NR as Nick as said.
Bottom line - both will happily use TLS v1.2 which is the most common version in use anyway. Anything less than TLS v1.2 shouldn't be used.