is it somewhere documented which cipher Suites are supported using x.509 certificates for Device Authentication?
It seems that ECDSA is not supported and falls back to RSA.
All examples in the documentation referring using RSA.
Any documentation about supported cipher suites would be helpful.
as far as i know this i configurable which cipher Suites and TLS version is minimum required. But i don’t know where and what the default values are.
thanks, are you referring to an instance wide configuration? If so it would be good to know how the public instances especially *.cumulocity, *.eu-latest.cumulocity.com are configured.
If you have a specific cypher suite in mind i think you can use openssl to check.
Anyway, there are a lot of different posibilities:
But actualy i am not sure if https ssl/tsl configuration is the same as ssl/tsl configuration for MQTT… I suppose you mean device authentification via MQTT using x.509 certificates right?
you can use
nmap --script ssl-enum-ciphers -p 8883 mqtt.cumulocity.com to list all available ciphers for a specific host/port.
For cumulocity.com it would look like this:
nmap --script ssl-enum-ciphers -p 8883 mqtt.cumulocity.com
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-22 15:55 CEST
Nmap scan report for mqtt.cumulocity.com (126.96.36.199)
Host is up (0.023s latency).
Other addresses for mqtt.cumulocity.com (not scanned): 188.8.131.52 184.108.40.206
rDNS record for 220.127.116.11: ec2-52-29-96-126.eu-central-1.compute.amazonaws.com
PORT STATE SERVICE
8883/tcp open secure-mqtt
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| cipher preference: client
| Key exchange (dh 1024) of lower strength than certificate key
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 2.18 seconds
The supported ciphers have been listed here: Important announcements - Cumulocity IoT Guides although these have been adjusted afterwards to also allow some weaker ciphers again: Important announcements - Cumulocity IoT Guides
Thanks Tristan & Alex,
follow up question: A customer is asking why we don’t support ciphers with ECDSA-keys but only RSA. Is there any reason for that or are there any plans to introduce them into our public instances at some time?
There is an Aha request open for this functionality: C8YKERNEL-472 Configure load balancer to support ECDSA ciphers