Bulletproof TLS & SSL Mosquitto
How To Set Up Mosquitto Broker/Client Keys & Certificates— MQTT — Episode #05
This article deals with how to set up the Mosquitto broker to communicate with a client using TLS/SSL protocol.
In other words, it is about how to configure the Mosquitto broker to communicate with an MQTT client using the TLS/SSL (Transport Layer Security/Secure Socket Layer) protocol.
TLS is the successor of SSL and is often used as a combination of TLS/SSL.
To use TLS between the broker and the client, a set of keys and certificates has to be generated and deployed, along with configuration settings on the broker’s conf file and the client/server Keystore.
And here is the expensive handshake process negotiated between the broker and a client who understands to exchange confidential information between each other:
Let’s get started!
First, go to slproweb dot com OpenSSL site:
https://slproweb.com/products/Win32OpenSSL.htmlAnd install this app:
Win64 OpenSSL v1.1.1i LightThis software is enough for what we need so far (3MB Installer).
Here is my machine (Windows 10 Home Single Language, v.20H) setup:
- Key and certificate generation: Win64 OpenSSL v1.1.1i Light;
- Mosquitto version 1.6.8;
- MQTT v3.1.1 broker.
Fine! Now let’s get to the real work:
Open cmd prompter (execute as administrator).
Access the OpenSSL-Win64 directory created in the above installation process:
cd C:\Program Files\OpenSSL-Win64
cd bin
cd dir
Type cls to clean the screen, and #WeAreReadyToGo!
For our PKI, run theses scripts in theses very sequences:
01 # STEP —generating ca.key:
openssl genrsa -des3 -out ca.key 2048
02 # STEP — generating ca.crt:
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
03 # STEP — generating server.key
openssl genrsa -out server.key 2048
04 # STEP — generating server csr:
openssl req -new -out server.csr -key server.key
05 # STEP — generating server.crt
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360
06 # STEP — end up with these files:
ca.key
ca.crt
server.key
server.crt
ca.srl
server.csr07 # STEP —Return to your mosquito installation directory and create a directory /certs and transfer all these files into there:
08 # STEP — open mosquitto.conf file (attention: this is the main step to be taken):
Ctrl + F to find tls_version string (1); Locate #tls_version entry (line 310), uncomment it and type this (2):
tls_version tlsv1.2
Now for the secure port, Ctrl + F to find listener port-number string and locate #listener entry (line 374); uncomment it and type:
listener 8883
Now Ctrl + F to find Certificate based SSL/TLS support (1) string and locate #cafile, #certifle, and #keyfile entries (lines 450/457); uncomment it and type (2–4):
cafile C:\Program Files\mosquitto\certs\ca.crt
certfile C:\Program Files\mosquitto\certs\server.crt
keyfile C:\Program Files\mosquitto\certs\server.key
Now Let’s enable the port listener for default communication.
Ctrl + F to find port 1883 string (1); Locate #port 1883 entry (Line 211), and uncomment it (2), and type:
port 1883
Finally, Ctrl + F to find Extra listeners string (1); Locate #listener entry (line 374), and uncomment it (2), and type:
listener 8883
Save mosquitto.conf file and touché \o/
09 # STEP — Let’s test!
Open three terminals (one as Administrator); on Terminal #1, type:
mosquitto -c mosquitto.conf -vOpen another terminal; on Terminal #2, type:
mosquitto_sub -h laptop-jaythree -p 8883 -u user1 -P 321 --cafile ca.crt -t temperatureAnd finally, open the last terminal; on Terminal #3 type:
mosquitto_pub -h laptop-jaythree -p 8883 -u user1 -P 321 --cafile ca.crt -t temperature -m 45Everything must be working on port 8883!
Now, let's see if the unsecured port is open too:
10 # STEP — Transmitting without certification:
On Terminal #2, above, type: Ctrl+C, to stop the subscription, and enter:
mosquitto_sub -h localhost -p 1883 -u user1 -P 321 -t temperatureOn Terminal #3, type:
mosquitto_pub -h localhost -p 1883 -u user1 -P 321 -t temperature -m 48Everything must be working on port 1883!
The broker listens on both ports: 1883 and 8883. Fantastic!
Security represents a noble concern, however, we must bear in mind that the speed (and system resources) are critically impacted (see Wireshark pcap files in our resources), so internally we can exchange messages publicly but when transferring these messages via remote brokers, we can use a secure tunnel using TTL / SSL as described.
In our next episode, we will use bridges between brokers.
That’s it for now!
SUMMARY (cmds sequences):
openssl genrsa -des3 -out ca.key 2048openssl req -new -x509 -days 1826 -key ca.key -out ca.crtopenssl genrsa -out server.key 2048openssl req -new -out server.csr -key server.keyopenssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360server.crt
ca.srl
server.csr
server.key
ca.crt
ca.key
CA.plport 1883
cafile …\ca.crt
certfile …\server.crt
keyfile …\server.key
tls-version2.1
listener 8883mosquitto -c mosquitto.conf -v
mosquitto_sub -h laptop-jaythree -p 8883 -u user1 -P 321 --cafile ca.crt -t temperature
mosquitto_pub -h laptop-jaythree -p 8883 -u user1 -P 321 --cafile ca.crt -t temperature -m 45mosquitto_sub -h localhost -p 1883 -u user1 -P 321 -t temperature
mosquitto_pub -h localhost -p 1883 -u user1 -P 321 -t temperature -m 48Download All The Files For This Project
Related Posts
01# Episode — Mosquitto — Intro To MQTT — It is Suitable for the Internet of Things Applications — MQTT
02# Episode — Mosquitto — User Access Configurations Setups — Editing mosquitto.conf File to Configure SSL Authentications — MQTT
03# Episode — Mosquitto— ACLs — Wildcards & ACL — access control lists — MQTT
04# Episode — Mosquitto — MQTT QoS — How To Set QoS at Mosquitto Broker — MQTT
05# Episode — Mosquitto — Bulletproof TLS & SSL Mosquitto — How To Set Up Mosquitto Broker/Client Keys & Certificates— MQTT (this one)
06# Episode — Mosquitto — Mosquitto Bridge — How To Bridge Two Mosquitto Brokers — MQTT
07…be tuned for the upcoming post about MQTT and IoT o/
Credits & References
Microgênios — Treinamento em Sistemas Embarcados — Microchip Regional Partner — Microchip Certified Brazilian Training Education Company & a Simplício-Owned enterprise o/
How to avoid the expensive handshake process? trust store: http://www.freekb.net/Article?id=1797
What is the smallest possible http and https data request by StackOverflow
Public key infrastructure by Wikipedia
https://www.windows-commandline.com/control-panel-run-command/ by commandline.com
The New Illustrated TLS Connection — Every byte explained and reproduce by dhttps://tls13.ulfheim.net/
Epoch & Unix Timestamp Conversions Tool by https://www.epochconverter.com/
This was a triumph. I’m making a note here: HUGE SUCCESS. It’s hard to overstate my satisfaction. (‘Still Alive’ by Jonathan Coulton: http://www.jonathancoulton.com) —song link