EMQX 5.7.2 在控制台高级设置中添加加密套件报错

klaus · 2024 年11 月 20 日 03:45

环境

EMQX 版本：5.7.2
操作系统版本：CentOs7

重现此问题的步骤

添加加密套件： TLS_RSA_WITH_AES_256_CBC_SHA

预期行为

添加成功，支持该加密套件

实际行为

报错：
400 BAD_REQUEST: {“value”:“TLS_RSA_WITH_AES_256_CBC_SHA”,“reason”:“{bad_ciphers,["TLS_RSA_WITH_AES_256_CBC_SHA"]}”,“path”:“root.ssl_options.ciphers”,“matched_type”:“listeners:ssl_not_required_bind”,“kind”:“validation_error”}

zhongwencool · 2024 年11 月 20 日 07:53

目前不支持你指定的。
可以使用

./bin/emqx eval "emqx_tls_lib:all_ciphers_set_cached()."

查看所有支持的。

klaus · 2024 年11 月 21 日 03:07

你好，现在有办法能支持吗？升级版本，或者需要怎么做。

zhongwencool · 2024 年11 月 21 日 03:20

不好意思，刚查了一下：Cipher suite correspondence table · erlang/otp Wiki · GitHub
TLS_RSA_WITH_AES_256_CBC_SHA 对应的应该就是：AES256-SHA ,你可以直接用它。

rp(emqx_tls_lib:all_ciphers_set_cached()).
{set,89,18,32,16,90,54,
     {[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[]},
     {{["SRP-DSS-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA256",
        "ECDH-ECDSA-AES256-SHA","DHE-RSA-CHACHA20-POLY1305",
        "ECDHE-RSA-CHACHA20-POLY1305",
        "ECDHE-ECDSA-AES256-GCM-SHA384"],
       ["RC4-SHA","DES-CBC-SHA","ECDHE-ECDSA-AES256-SHA"],
       ["PSK-AES256-CBC-SHA","AES256-SHA","DHE-DSS-AES128-SHA256",
        "DHE-RSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256",
        "ECDHE-RSA-AES256-SHA384","TLS_AES_256_GCM_SHA384"],
       ["RC4-MD5","AES256-SHA256","SRP-RSA-AES-128-CBC-SHA",
        "ECDH-ECDSA-AES128-GCM-SHA256","ECDH-ECDSA-AES256-SHA384"],
       ["RSA-PSK-AES256-CBC-SHA384","ECDH-RSA-AES128-SHA",
        "DHE-DSS-AES256-SHA256"],
       ["PSK-AES256-CBC-SHA384","SRP-DSS-DES-CBC3-SHA",
        "ECDH-RSA-RC4-SHA","AES128-GCM-SHA256",
        "SRP-RSA-AES-256-CBC-SHA","DHE-RSA-AES128-SHA",
        "ECDHE-RSA-AES128-SHA","ECDH-RSA-AES128-SHA256"],
       ["ECDH-ECDSA-DES-CBC3-SHA","ECDH-RSA-AES256-SHA",
        "DHE-DSS-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384",
        "ECDHE-RSA-AES256-GCM-SHA384"],
       ["ECDHE-ECDSA-DES-CBC3-SHA","RSA-PSK-RC4-SHA",
        "RSA-PSK-AES128-CBC-SHA","DHE-RSA-AES256-SHA",
        "ECDHE-RSA-AES256-SHA","ECDH-ECDSA-AES256-GCM-SHA384"],
       ["ECDHE-ECDSA-RC4-SHA","DES-CBC3-SHA",
        "ECDHE-ECDSA-AES128-SHA256"],
       ["AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA",
        "DHE-DSS-AES128-SHA","ECDH-RSA-AES128-GCM-SHA256",
        "ECDH-RSA-AES256-SHA384"],
       ["DHE-DSS-AES256-GCM-SHA384","ECDHE-ECDSA-AES128-CCM8",
        "ECDHE-ECDSA-AES128-CCM","ECDHE-ECDSA-CHACHA20-POLY1305",
        "TLS_AES_128_CCM_SHA256"],
       ["RSA-PSK-AES128-GCM-SHA256","DHE-DSS-AES256-SHA"],
       ["PSK-AES128-GCM-SHA256","ECDH-RSA-DES-CBC3-SHA",
        "ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-SHA384",
        "ECDHE-ECDSA-AES256-CCM8","ECDHE-ECDSA-AES256-CCM"],
       ["EDH-RSA-DES-CBC3-SHA","ECDHE-RSA-DES-CBC3-SHA",
        "ECDH-RSA-AES256-GCM-SHA384","TLS_AES_128_CCM_8_SHA256"],
       ["RSA-PSK-DES-CBC3-SHA","ECDHE-RSA-RC4-SHA",
        "EDH-RSA-DES-CBC-SHA","SRP-DSS-AES128-CBC-SHA",
        "ECDH-ECDSA-AES128-SHA","DHE-RSA-AES128-SHA256",
        "ECDHE-RSA-AES128-SHA256","TLS_AES_128_GCM_SHA256"],
       ["ECDH-ECDSA-RC4-SHA","RSA-PSK-AES256-GCM-SHA384",
        "ECDHE-ECDSA-AES128-SHA","ECDH-ECDSA-AES128-SHA256",
        "TLS_CHACHA20_POLY1305_SHA256"]},
      {["PSK-AES128-CBC-SHA","PSK-AES256-GCM-SHA384","AES128-SHA",
        "DHE-RSA-AES256-SHA256"],
       ["PSK-AES128-CBC-SHA256","SRP-RSA-DES-CBC3-SHA",
        "DHE-DSS-DES-CBC3-SHA","AES128-SHA256"],
       [],[],[],[],[],[],[],[],[],[],[],[],[],[]}}}

klaus · 2024 年11 月 21 日 03:30

好的，我这边试一下，非常感谢！