TLS handshake fails without PSK extension
- Finn Zirngibl
Owned by Finn Zirngibl
Feb 05, 2021
1 min read
Loading data...
Expected behaviour
A client successfully connects to a TLS enabled listener using TLS 1.3
Observed behaviour
The connection attempt is rejected by the broker with the following ERROR
SSL Handshake failed for client with IP 127.0.0.1: pre_shared_key key extension is offered without a psk_key_exchange_modes extensionReason
This is a known issue in some OpenJDK versions and has been fixed in OpenJDK 11.0.2
Since HiveMQ defaults to TLS 1.3 starting with HiveMQ 4.5.0, some clients which previously
connected using TLS 1.2 may start seeing this.
Solution / Workaround
This behaviour can be mitigated by upgrading to OpenJDK 11.0.2 or higher. Alternatively,
if Java cannot be upgraded it is possible to specify TLS version 1.2 in HiveMQ’s configuration.
Affected Version
OpenJDK < 11.0.2