资源有限单片机使用特定加密套件TLS连接失败

EMQX
,
1

我使用EMQX Operator建了一个EMQX集群,版本为V5.8 开源版,服务正常运行.

我当前有一款资源有限的单片机设备
设备尝试MQTT连接1883端口正常,但是8883端口ssl连接则失败,
MQTTX工具连接1883/ 8883端口均正常

查阅设备厂家提供的文档,其中提到设备仅支持有限加密套件(如下)
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256

使用Java代码模拟以上限定加密套件进行TLS连接握手并打印DEBUG信息,
收到错误提示Error during SSL/TLS connection: (insufficient_security) Received fatal alert: insufficient_security

查阅网络资料得到以下相关文档链接

  1. https://github.com/emqx/emqx/issues/3090
  2. EMQX 5.7.2 在控制台高级设置中添加加密套件报错 - #3,来自 klaus
  3. https://github.com/erlang/otp/wiki/Cipher-suite-correspondence-table

尝试修改加密套件配置,成功保存,但是8883依然无法正常链接
请问还有其他办法嘛?

image
image914×914 113 KB

image
image1920×1030 194 KB

image
image2494×1296 210 KB

2

另外可能有个BUG
默认情况下加密套件一栏值为空,但当填入值保存后,若再置为空,则会报错

image
image2496×1297 174 KB

3

请用命令
openssl s_client -connect localhost:8883 -tls1_1 -cipher 'AES256-SHA:@SECLEVEL=1'
测试一下下面这样的 监听器配置:

image
image1498×296 12.8 KB

image
image780×436 9.6 KB

4

当在dashboard中编辑监听,限定仅留TLS1.1 + AES256-SHA 时,
使用openssl工具尝试连接, openssl输出如下图:

image
image2560×1404 277 KB

对应的emqx 容器输出如下 (确定仅有此两行输出)

writing (7 bytes) TLS 1.2 Record Protocol, alert
0000 - 15 03 03 00 02 02 46                                ......F

在以上相同监听器配置下,使用java代码测试并打印tls debug信息输出如下

javax.net.ssl|DEBUG|10|main|2025-11-07 10:07:12.179 CST|ClientHello.java:640|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "E7246C58E88C6758978F5C6DD9BDA1181711E68D58F21B993A52349E25530083",
  "session id"          : "",
  "cipher suites"       : "[TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C)]",
  "compression methods" : "00",
  "extensions"          : [
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "session_ticket (35)": {
      <empty>
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "supported_versions (43)": {
      "versions": [TLSv1.2]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    }
  ]
}
)
javax.net.ssl|DEBUG|10|main|2025-11-07 10:07:12.204 CST|Alert.java:232|Received alert message (
"Alert": {
  "level"      : "fatal",
  "description": "protocol_version"
}
)
javax.net.ssl|ERROR|10|main|2025-11-07 10:07:12.205 CST|TransportContext.java:370|Fatal (PROTOCOL_VERSION): Received fatal alert: protocol_version (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: (protocol_version) Received fatal alert: protocol_version
  	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
  	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
  	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:365)
  	at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:287)
  	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:204)
  	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
  	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1507)
  	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1422)
  	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
  	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
  	at TLSTest1.main(TLSTest1.java:39)}

)
javax.net.ssl|DEBUG|10|main|2025-11-07 10:07:12.205 CST|SSLSocketImpl.java:1750|close the underlying socket
javax.net.ssl|DEBUG|10|main|2025-11-07 10:07:12.205 CST|SSLSocketImpl.java:1776|close the SSL connection (passive)
javax.net.ssl.SSLHandshakeException: (protocol_version) Received fatal alert: protocol_version
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:365)
	at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:287)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:204)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1507)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1422)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
	at TLSTest1.main(TLSTest1.java:39)
Error during SSL/TLS connection: (protocol_version) Received fatal alert: protocol_version
5

方便的话,辛苦查看一下私信

6

客户端

SSL routines:tls_setup_handshake:no protocols available
这表明 运行的 openssl 命令的环境不支持 tls 1.1,

服务器

我从支持 tls1.1 的环境中测试了你私信给我的服务器地址,得到如下结果:

openssl s_client -connect $IP:8883 -tls1_1 -cipher 'AES256-SHA:@SECLEVEL=1'
CONNECTED(00000003)
139652180874560:error:1409442F:SSL routines:ssl3_read_bytes:tlsv1 alert insufficient security:../ssl/record/rec_layer_s3.c:1552:SSL alert number 71
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 66 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1762492228
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

这表明运行 emqx 服务的环境 无法提供 tls1.1。

总结

你应该不是 pull 的 EMQ 发布的 docker image,而是自己 build 的?
如果emqx的docker是基于ubuntu 和 debian,tls1.1应该是支持的。
如果是基于rockylinux可能已经不再支持tls1.1。

7

(帖子已被作者删除)

8

(帖子已被作者删除)

9

抱歉,我命令的指令并不是在容器里执行的,而且在个人电脑上执行的。在容器里尝试是没问题的.