Supported cipher Suites x.509 certificates Cumulocity IoT

Hi IoT-Community,

is it somewhere documented which cipher Suites are supported using x.509 certificates for Device Authentication?
It seems that ECDSA is not supported and falls back to RSA.

All examples in the documentation referring using RSA.
Any documentation about supported cipher suites would be helpful.

Regards
Stefan

1 Like

Hi Stefan,

as far as i know this i configurable which cipher Suites and TLS version is minimum required. But i don’t know where and what the default values are.

Best regards,
Alex

1 Like

Hi Alex,

thanks, are you referring to an instance wide configuration? If so it would be good to know how the public instances especially *.cumulocity, *.eu-latest.cumulocity.com are configured.

Regards
Stefan

1 Like

If you have a specific cypher suite in mind i think you can use openssl to check.

Anyway, there are a lot of different posibilities:

1 Like

But actualy i am not sure if https ssl/tsl configuration is the same as ssl/tsl configuration for MQTT… I suppose you mean device authentification via MQTT using x.509 certificates right?

1 Like

Hi Stefan,

you can use nmap --script ssl-enum-ciphers -p 8883 mqtt.cumulocity.com to list all available ciphers for a specific host/port.

For cumulocity.com it would look like this:

nmap --script ssl-enum-ciphers -p 8883 mqtt.cumulocity.com
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-22 15:55 CEST
Nmap scan report for mqtt.cumulocity.com (52.29.96.126)
Host is up (0.023s latency).
Other addresses for mqtt.cumulocity.com (not scanned): 52.28.214.198 3.120.45.227
rDNS record for 52.29.96.126: ec2-52-29-96-126.eu-central-1.compute.amazonaws.com

PORT     STATE SERVICE
8883/tcp open  secure-mqtt
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
|       TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 2.18 seconds

The supported ciphers have been listed here: Important announcements - Cumulocity IoT Guides although these have been adjusted afterwards to also allow some weaker ciphers again: Important announcements - Cumulocity IoT Guides

Regards,
Tristan

1 Like

Thanks Tristan & Alex,

follow up question: A customer is asking why we don’t support ciphers with ECDSA-keys but only RSA. Is there any reason for that or are there any plans to introduce them into our public instances at some time?

Regards
Stefan

Hi Stefan,

There is an Aha request open for this functionality: C8YKERNEL-472 Configure load balancer to support ECDSA ciphers

Best Regards,
Kent

2 Likes