MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  MQTT Connection issue over TLS

    Posted Wed December 06, 2023 05:17 PM

    Hi All, 

    As per the project requirement, One of our client is trying to connect one of our MQTT telemetry channel through TLS protocol and getting the following error 

    AMQJS0007E Socket error

    Also in the MQTT error long we can see the below error

    AMQCO1008E: An SSL Handshake error occurred when a client at '/192.168.106.1' attempted to connect to channel 'mqtt_sub_storeapp': javax.net.ssl.SSLHandshakeException: no cipher suites in common.

    Please find the channel details below

    DISPLAY CHANNEL('mqtt_sub_storeapp') CHLTYPE(mqtt)
    3 : DISPLAY CHANNEL('mqtt_sub_storeapp') CHLTYPE(mqtt)
    AMQ8414I: Display Channel details.
    CHANNEL(mqtt_sub_storeapp) CHLTYPE(MQTT)
    TRPTYPE(TCP) PORT(1807)
    LOCLADDR( ) MCAUSER(mqttusrstore)
    USECLTID(NO) BACKLOG(4096)
    DESCR( )
    SSLCIPH(SSL_RSA_WITH_AES_128_CBC_SHA256)
    SSLCAUTH(NEVER) SSLKEYP(********)
    SSLKEYR(/var/mqm/qmgrs/MQ1SXR01/ssl/mqttservice.sit.hosting.asda.com.jks)
    JAASCFG( ) PROTOCOL(MQTTV3,HTTP)

    In the MQ error log the following error is being shown

    AMQCO1008E: An SSL Handshake error occurred when a client at '/192.168.106.1' attempted to connect to channel 'mqtt_sub_storeapp': javax.net.ssl.SSLHandshakeException: no cipher suites in common.

    The client is using an external JS file that is mqttws31.js file which created a web socket connection with MQTT server. Below is the code snippet that we are using for creating a web socket connection (Secured & Non secured).

           if (this.connectOptions.useSSL)

              wsurl = ["wss://", host, ":", port, "/mqtt"].join("");

            else

              wsurl = ["ws://", host, ":", port, "/mqtt"].join("");

            this.connected = false;

            this.socket = new WebSocket(wsurl, 'mqttv3.1');

            this.socket.binaryType = 'arraybuffer';

    Can someone please help me if there is any way to set cipher spec in the java script file that the client is using? Any help on this would be highly appreciated.

    Thanks & Regards, 

    Debarpan  



    ------------------------------
    Debarpan Mukhopadhyay
    ------------------------------



  • 2.  RE: MQTT Connection issue over TLS

    Posted Thu December 07, 2023 03:51 AM
    It maybe your certificates are not consistent.

    1)Check the server end has SSL_RSA_WITH_AES_128_CBC_SHA256 specified in its list

    2)Display the certificate and check it is created with RSA


    BTW you  are using older (weaker) technology, you should consider moving to cipher specs with *ECDHE* or better in them.

    If you can create a wireshark trace of the flow and send it to me (privately) I may be able to see what the problem is

    Colin



    Original Message


  • 3.  RE: MQTT Connection issue over TLS

    Posted Mon December 11, 2023 06:15 AM

    Hi Colin, 

    Thanks for sharing the update and the cipher issue is now resolved after making a change in our MQTT telemetry channel. We have now altered the channel and made the following change to enable 1-Way SSL

    DISPLAY CHANNEL('mqtt_sub_storeapp') CHLTYPE(MQTT)

    1 : DISPLAY CHANNEL('mqtt_sub_storeapp') CHLTYPE(MQTT)

    AMQ8414I: Display Channel details.

    CHANNEL(mqtt_sub_storeapp) CHLTYPE(MQTT)

    TRPTYPE(TCP) PORT(1807)

    LOCLADDR( ) MCAUSER(mqttusrstore)

    USECLTID(NO) BACKLOG(4096)

    DESCR( )

    SSLCIPH(SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256)

    SSLCAUTH(OPTIONAL) SSLKEYP(********)

    SSLKEYR(/var/mqm/qmgrs/MQ1SXR01/ssl/mqttservice.sit.hosting.asda.com.jks)

    JAASCFG( ) PROTOCOL(MQTTV3,HTTP)

    After changing the SSLCAUTH to optional, we are getting the below error from the error log

    12/11/23 10:57:32.166 AMQXR0021W: Client '' at network address '192.168.106.1' disconnected abnormally

    with exception 'closing inbound before receiving peer's close_notify'.

    12/11/23 10:57:32.750 AMQXR0021W: Client '' at network address '192.168.106.1' disconnected abnormally

    with exception 'closing inbound before receiving peer's close_notify'.

    12/11/23 10:57:33.485 AMQXR0021W: Client '' at network address '192.168.106.1' disconnected abnormally

    with exception 'closing inbound before receiving peer's close_notify'.

    12/11/23 10:57:34.689 AMQXR0021W: Client '' at network address '192.168.106.1' disconnected abnormally

    with exception 'closing inbound before receiving peer's close_notify'.

    12/11/23 10:57:38.659 AMQXR0021W: Client '' at network address '192.168.106.1' disconnected abnormally

    with exception 'closing inbound before receiving peer's close_notify'

    Please find the error log from client end

    Failed to Connect MQTT Reciever : mqigw1.sit.hosting.asda.com:1807 log: {"errorCode":7,"errorMessage":"AMQJS0007E Socket error:undefined.","currentURL":"mqigw1.sit.hosting.asda.com:1807"}

    <-------------------------------End Of Action------------------------------------->

    Can you please let us know why this error is coming? We have checked that the root certificate is present at the client end as well.

    Thanks,

    Debarpan



    ------------------------------
    Debarpan Mukhopadhyay
    ------------------------------

    Original Message


  • 4.  RE: MQTT Connection issue over TLS

    Posted Tue December 12, 2023 01:30 AM

    Did you bounce the MQTT service / qmgr after changing the SSL Config of the channel? Or at least stop and restart the MTT channel?



    ------------------------------
    Francois Brandelik
    ------------------------------

    Original Message


Related Content