MQTT: how to find what TLS/SSL version is used

Hello,
Secure communication between clients & brokers using certificates with TLS/SSL work fine as we know

But how can I find information of what version of TLS is actually used for a specific connection?

In the mosquitto log file, the broker running in a RPi, I don't see this information and I do not see it in Node-RED either

1564491551: mosquitto version 1.6.3 starting
1564491551: Config loaded from /etc/mosquitto/mosquitto.conf.
1564491551: Opening ipv4 listen socket on port 8883.
1564491551: Opening ipv6 listen socket on port 8883.
1564491551: Opening ipv4 listen socket on port 1883.
1564491551: Opening ipv6 listen socket on port 1883.
1564491552: New connection from 192.168.0.155 on port 1883.
1564491552: New client connected from 192.168.0.155 as 518776448999 (p2, c1, k60, u'username').
1564491565: New connection from 192.168.0.241 on port 8883.
1564491565: New client connected from 192.168.0.241 as mqtt_ffbefcf6.e8c3d (p1, c1, k60).
1564491576: New connection from 192.168.0.155 on port 8883.
1564491576: Client 518776448999 already connected, closing old connection.
1564491576: New client connected from 192.168.0.155 as 518776448999 (p2, c1, k60, u'username').
1564493351: Saving in-memory database to /var/lib/mosquitto/mosquitto.db.

I don't think that it reports it - not sure if you can change logging levels though?

https://mosquitto.org/blog/

The release notes show that TLS 1.0 support has been removed and 1.3 added.

Shows the commands needed to generate the certificates which shows you what encryption is being used.

Thank you, my concern is that if the broker supports the 1.3, I want to be sure that NR is using this as well. If this cannot be verified, how to be sure?

Well that one is easy - Node.JS doesn't yet support TLS v1.3

Ah, ok!

But the same concern is if TLS v1.2 is supported by the broker. You do not want NR to use something less secure I suppose. Like SSL v3

Just to clarify, from the issue Julian links to...

Node 10.x does not support TLS 1.3 and will never do.

Node 12.x has TLS 1.3.

With regard which gets used - this section of the docs explains how node picks the cypher suite to use: https://nodejs.org/api/tls.html#tls_modifying_the_default_tls_cipher_suite

The default cipher suite included within Node.js has been carefully selected to reflect current security best practices and risk mitigation.

And the Node 12.x docs also say:

Despite the relative order of TLSv1.3 and TLSv1.2 cipher suites, the TLSv1.3 protocol is significantly more secure than TLSv1.2, and will always be chosen over TLSv1.2 if the handshake indicates it is supported, and if any TLSv1.3 cipher suites are enabled.

Just to add - I don't have particular knowledge of this. I'm just googling and reading the same docs you could google and read :slight_smile:

1 Like

Great, then final Q; can/is NR use/using node 12.x?

We don't routinely test against 12 currently and it isn't our recommended version. There were some issues with third party modules not building properly on 12 - but I've not checked recently to see what it stands.

Alright, fine, thanks
For the moment, will stick to what I have running. The broker 1.6.3 is at least supporting TLS v1.3. To be available for later...

In general the latest version will be preferred by most clients and if 1.3 is supported, 1.2 certainly will be (and is). I didn't mention Node 12 since it isn't yet fully supported in NR as Nick as said.

Bottom line - both will happily use TLS v1.2 which is the most common version in use anyway. Anything less than TLS v1.2 shouldn't be used.