Python Eclipse Paho Client - TLS Connection to MQTT Broker Exception: No ciphers available

Question

I am trying to create a connection to a TLS (TLSv1) secured MQTT Broker(Rabbitmq with MQTT Plugin enabled) with the python implementation of the eclipse paho client. The same works fine with the MQTTFX application which is based on the java implementation of paho. For this i am using self signed certificates.

    Java version uses: 
    CA-File: ca_certificate.crt 
    Client Certificate client_cert.crt  
    Client Key File: client_key.key 

    Python Version should use:  
    CA-File: ca_certificate.pem 
    Client Certificate: client_cert.pem  
    Client key file: client_key.key

I tried to establish a connection like this:

    import ssl
    
    import paho.mqtt.client as paho
    
    # Locations of CA Authority, client certificate and client key file
    ca_cert = "ca_certificate.pem"
    client_cert = "client_certificate.pem"
    client_key = "client_key.pem"
    
    # Create ssl context with TLSv1
    context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
    context.load_verify_locations(ca_cert)
    context.load_cert_chain(client_cert, client_key)
    
    # Alternative to using ssl context but throws the exact same error
    # client.tls_set(ca_certs=ca_cert, certfile=client_cert, keyfile=client_key, tls_version=ssl.PROTOCOL_TLSv1)
    
    client = paho.Client()
    client.username_pw_set(username="USER", password="PASSWORD")
    client.tls_set_context(context)
    client.tls_insecure_set(False)
    client.connect_async(host="HOSTNAME", port="PORT")
    client.loop_forever()

Which results in the following error:

    ssl.SSLError: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:997)

Could it be that I need to explicitly pass a cipher that the broker supports or could it be due of an older openssl version? I am a little bit lost right now, maybe someone has a clue on how to solve this.

Edit: I got it to work by myself but still not sure why exactly it works now.

1. Changed context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
   to context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2. Changed client.tls_insecure_set(False)
   to client.tls_insecure_set(True)

Answer 1

PROTOCOL_TLSv1 forces the client to only use TLS v1.0 which is old and unless you have explicitly forced your broker to only use the same version unlikely to match.

Using PROTOCOL_TLS_CLIENT will allow Python to negotiate across the full range of TLS v1.0 to TLS v1.3 until it finds one that both the client and the broker support.

Why you are having to set client.tls_insecure_set(True) is hard to answer without knowing more about the certificates you are using with the broker. Does it container a CA/SAN entry that matches the HOSTNAME you are using to connect? The documentation says it will explicitly enforce the hostname check.

ssl.PROTOCOL_TLS_CLIENT

Auto-negotiate the highest protocol version that both the client and server support, and configure the context client-side connections. The protocol enables CERT_REQUIRED and check_hostname by default.