/
TLS handshake fails without PSK extension
TLS handshake fails without PSK extension
- Finn Zirngibl
Owned by Finn Zirngibl
Feb 05, 2021
1 min read
Analytics
Loading data...
Expected behaviour
A client successfully connects to a TLS enabled listener using TLS 1.3
Observed behaviour
The connection attempt is rejected by the broker with the following ERROR
SSL Handshake failed for client with IP 127.0.0.1: pre_shared_key key extension is offered without a psk_key_exchange_modes extensionReason
This is a known issue in some OpenJDK versions and has been fixed in OpenJDK 11.0.2
Since HiveMQ defaults to TLS 1.3 starting with HiveMQ 4.5.0, some clients which previously
connected using TLS 1.2 may start seeing this.
Solution / Workaround
This behaviour can be mitigated by upgrading to OpenJDK 11.0.2 or higher. Alternatively,
if Java cannot be upgraded it is possible to specify TLS version 1.2 in HiveMQ’s configuration.
Affected Version
OpenJDK < 11.0.2
, multiple selections available,
Related content
HiveMQ Cluster with mutual TLS on a local machine
HiveMQ Cluster with mutual TLS on a local machine
More like this
ERROR - Not able to create SSL server context. Reason: Not able to open or read KeyStore '/opt/hivemq/conf/xxxxx.p12' with type 'JKS'
ERROR - Not able to create SSL server context. Reason: Not able to open or read KeyStore '/opt/hivemq/conf/xxxxx.p12' with type 'JKS'
More like this
Obtaining SSL debugging information
Obtaining SSL debugging information
More like this
Using SSL client certificates with mqtt-client
Using SSL client certificates with mqtt-client
More like this
Client is not authorised to connect because of TLS-SNI extension is disabled
Client is not authorised to connect because of TLS-SNI extension is disabled
More like this
Does HiveMQ Cloud support SSL-encrypted TCP connections?
Does HiveMQ Cloud support SSL-encrypted TCP connections?
More like this