/
TLS handshake fails without PSK extension
TLS handshake fails without PSK extension
- Finn Zirngibl
Owned by Finn Zirngibl
Feb 05, 2021
Expected behaviour
A client successfully connects to a TLS enabled listener using TLS 1.3
Observed behaviour
The connection attempt is rejected by the broker with the following ERROR
SSL Handshake failed for client with IP 127.0.0.1: pre_shared_key key extension is offered without a psk_key_exchange_modes extensionReason
This is a known issue in some OpenJDK versions and has been fixed in OpenJDK 11.0.2
Since HiveMQ defaults to TLS 1.3 starting with HiveMQ 4.5.0, some clients which previously
connected using TLS 1.2 may start seeing this.
Solution / Workaround
This behaviour can be mitigated by upgrading to OpenJDK 11.0.2 or higher. Alternatively,
if Java cannot be upgraded it is possible to specify TLS version 1.2 in HiveMQās configuration.
Affected Version
OpenJDK < 11.0.2
, multiple selections available,
Related content
How To Generate Client Certificates for TLS Clients
How To Generate Client Certificates for TLS Clients
More like this
TLS requirement of HiveMQ Cloud offerings
TLS requirement of HiveMQ Cloud offerings
More like this
HiveMQ Cluster with mutual TLS on a local machine
HiveMQ Cluster with mutual TLS on a local machine
Read with this
How to configure ESE to authenticate clients using client certificates and authorize using postgresSQL(without username/password)
How to configure ESE to authenticate clients using client certificates and authorize using postgresSQL(without username/password)
More like this
How to configure ESE to use Certificates Authentication
How to configure ESE to use Certificates Authentication
More like this
ERROR - HiveMQ Enterprise Security Extension: Unhandled exception in Rest API authentication java.lang.IllegalStateException: No authorization-key set
ERROR - HiveMQ Enterprise Security Extension: Unhandled exception in Rest API authentication java.lang.IllegalStateException: No authorization-key set
More like this