1 Topic by Neil.Kurzman (edited by Neil.Kurzman 2025-12-31 00:04:50)

  • Registered: 2025-08-04
  • Posts: 11

Topic: Azure Limiting Cypyers

I am getting an MQTT Error 5
This is related to it rejecting Cyphers
The List Below is the Acceptable list as of August 31, 2025
Oddly I can connect to one Hub But Not a Second.
Does Wolf SSL V 3.9.0 handle anything in the Below List?
I am using Microchip Harmony V1.11 so I am limited to V3.9.0
Does SLL Choose the Cypher or do I need to set it.

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Share

  • From: Mobile, AL
  • Registered: 2013-12-11
  • Posts: 388

Re: Azure Limiting Cypyers

Hello Neil,

Yes those ciphers are supported wolfSSL v3.9.0. Do you have a packet capture and / or wolfSSL debug log of the succeeding and failing connections?

The server ultimately chooses the cipher suite based on the list sent during the client hello message of the TLS handshake.

Please feel free to open a support ticket by emailing support@wolfssl.com to get more detailed help.

Kind regards,
Eric - wolfSSL Support

embhorn's Website

Share

  • Registered: 2025-08-04
  • Posts: 11

Re: Azure Limiting Cypyers

I am trying to use the log to debug it will required some work in my embedded system.
There does not appear to be any function to get the list, or to get the current cypher.  Is the correct?

I found to enable the Cypher i needed to enable options in the Harmony Cyphers are we as The Wolf SSL Cyphers.

Share

  • From: Mobile, AL
  • Registered: 2013-12-11
  • Posts: 388

Re: Azure Limiting Cypyers

You can set the cipher list like this:

#define CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305"

    /* Set cipher list */
    if ((ret = wolfSSL_CTX_set_cipher_list(ctx, CIPHER_LIST))
            != WOLFSSL_SUCCESS) {
        fprintf(stderr, "ERROR: failed to set cipher list\n");
        goto exit;
    }

You can print the available ciphers like this:

static void ShowCiphers(void)
{
    static char ciphers[WOLFSSL_CIPHER_LIST_MAX_SIZE];
    int ret = wolfSSL_get_ciphers(ciphers, (int)sizeof(ciphers));
    if (ret == WOLFSSL_SUCCESS) {
        printf("%s\n", ciphers);
    }
}

embhorn's Website

Share

  • Registered: 2025-08-04
  • Posts: 11

Re: Azure Limiting Cypyers

Azure is Selecting:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Azure Requires:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

what Option would I need to select this in Harmony?
I see that some Items are in the Wolf SSL section, but other are in the Harmony Ciphers Section.

The Cipher List is:
DES-CBC3-SHA:
AES128-SHA:
AES256-SHA:
DHE-RSA-AES128-SHA:
DHE-RSA-AES256-SHA:
DHE-PSK-AES128-GCM-SHA256:
DHE-PSK-AES128-CBC-SHA256:
DHE-PSK-AES128-CCM:
DHE-PSK-AES256-CCM:
HC128-SHA:
AES128-CCM-8:
AES256-CCM-8:
AES128-SHA256:
AES256-SHA256:
DHE-RSA-AES128-SHA256:
DHE-RSA-AES256-SHA256:
AES128-GCM-SHA256:
DHE-RSA-AES128-GCM-SHA256

That You for the link to the Function

I found wolfSSL_get_cipher() for the Current Cipher

Share

6 Reply by Neil.Kurzman (edited by Neil.Kurzman Yesterday 01:49:06)

  • Registered: 2025-08-04
  • Posts: 11

Re: Azure Limiting Cypyers

Enabling ECC enables ECDH

I still have an Issue, But I am not sure where it is at this time

Share

7 Reply by Neil.Kurzman (edited by Neil.Kurzman Today 01:19:28)

  • Registered: 2025-08-04
  • Posts: 11

Re: Azure Limiting Cypyers

Does any one know the settings to enable TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xC02B)

is this enough for V3.9.0?

#define HAVE_AESGCM
#define HAVE_ECC
   
#define HAVE_SUPPORTED_CURVES
#define HAVE_TLS_EXTENSIONS /* Enable the NIST Curve */
#define HAVE_ECC256                /* Enable the NIST Curve */
#define HAVE_CURVE25519         /* Enable the Modern Curve */

It shows up in clientHello, but
Azure is still choosing 0x009c

I do not have a Linux Machine.
is there a way to determine why it is not choosing the correct cipher?

Share