1 Topic by Neil.Kurzman (edited by Neil.Kurzman 2025-12-31 00:04:50)

  • Registered: 2025-08-04
  • Posts: 10

Topic: Azure Limiting Cypyers

I am getting an MQTT Error 5
This is related to it rejecting Cyphers
The List Below is the Acceptable list as of August 31, 2025
Oddly I can connect to one Hub But Not a Second.
Does Wolf SSL V 3.9.0 handle anything in the Below List?
I am using Microchip Harmony V1.11 so I am limited to V3.9.0
Does SLL Choose the Cypher or do I need to set it.

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Share

  • From: Mobile, AL
  • Registered: 2013-12-11
  • Posts: 388

Re: Azure Limiting Cypyers

Hello Neil,

Yes those ciphers are supported wolfSSL v3.9.0. Do you have a packet capture and / or wolfSSL debug log of the succeeding and failing connections?

The server ultimately chooses the cipher suite based on the list sent during the client hello message of the TLS handshake.

Please feel free to open a support ticket by emailing support@wolfssl.com to get more detailed help.

Kind regards,
Eric - wolfSSL Support

embhorn's Website

Share

  • Registered: 2025-08-04
  • Posts: 10

Re: Azure Limiting Cypyers

I am trying to use the log to debug it will required some work in my embedded system.
There does not appear to be any function to get the list, or to get the current cypher.  Is the correct?

I found to enable the Cypher i needed to enable options in the Harmony Cyphers are we as The Wolf SSL Cyphers.

Share

  • From: Mobile, AL
  • Registered: 2013-12-11
  • Posts: 388

Re: Azure Limiting Cypyers

You can set the cipher list like this:

#define CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305"

    /* Set cipher list */
    if ((ret = wolfSSL_CTX_set_cipher_list(ctx, CIPHER_LIST))
            != WOLFSSL_SUCCESS) {
        fprintf(stderr, "ERROR: failed to set cipher list\n");
        goto exit;
    }

You can print the available ciphers like this:

static void ShowCiphers(void)
{
    static char ciphers[WOLFSSL_CIPHER_LIST_MAX_SIZE];
    int ret = wolfSSL_get_ciphers(ciphers, (int)sizeof(ciphers));
    if (ret == WOLFSSL_SUCCESS) {
        printf("%s\n", ciphers);
    }
}

embhorn's Website

Share

  • Registered: 2025-08-04
  • Posts: 10

Re: Azure Limiting Cypyers

Azure is Selecting:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Azure Requires:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

what Option would I need to select this in Harmony?
I see that some Items are in the Wolf SSL section, but other are in the Harmony Ciphers Section.

The Cipher List is:
DES-CBC3-SHA:
AES128-SHA:
AES256-SHA:
DHE-RSA-AES128-SHA:
DHE-RSA-AES256-SHA:
DHE-PSK-AES128-GCM-SHA256:
DHE-PSK-AES128-CBC-SHA256:
DHE-PSK-AES128-CCM:
DHE-PSK-AES256-CCM:
HC128-SHA:
AES128-CCM-8:
AES256-CCM-8:
AES128-SHA256:
AES256-SHA256:
DHE-RSA-AES128-SHA256:
DHE-RSA-AES256-SHA256:
AES128-GCM-SHA256:
DHE-RSA-AES128-GCM-SHA256

That You for the link to the Function

I found wolfSSL_get_cipher() for the Current Cipher

Share

6 Reply by Neil.Kurzman (edited by Neil.Kurzman Yesterday 23:24:53)

  • Registered: 2025-08-04
  • Posts: 10

Re: Azure Limiting Cypyers

Enabling ECC enables ECDH
I have a Odd Issue Now
The Client Hello has the ECC flag: ie 0xC09C
But the Server Hello Responds with  0x009C

The Connection is to Azure
I assume it is working correctly.
Is there a configuration Issue In the Library?
A bug in my version?

Share