Secure Communication With TLS and the Mosquitto Broker

Secure Communication With TLS and the Mosquitto Broker  #IoT #Cloud #BigData

  • This article walks through the basic principles and settings to configure Mosquitto brokers and MQTT clients with the TLS (Transport Layer Security) protocol.
  • To use TLS between the broker and the client, a set of keys and certificates has to be generated and deployed, along with configuration settings on the broker and the client.
  • key) with:

    The private key file looks like this:

    That key we need to be certified, so we create a certificate request for it, and the certificate needs to be signed by the CA:

    I’m using ‘ErichStyger-PC’ because this is the machine that will run the broker.

  • This creates sign request) which looks like this:

    The last step is to sign the server request through the CA to get the broker certificate:

    With the following options output file looks like this:

    This has created the following files:

    Inside the Mosquitto installation, create a folder (e.g. ‘certs’ if it does not already exist) and copy the following files we have created in the previous steps:

    The ca.crt belongs to the client (needs to be copied there).

  • Specify the certificate and key files:

    I launch my local Mosquitto broker with the -c option pointing to the modified configuration file:

    This launches the broker listening on the secure port 8883:

    In the client (e.g. MQTT.fx), I have to load the certificate of the server:

    With this, I can connect to the broker in a secure way:

    Establishing a secure TLS connection to the Mosquitto broker requires key and certificate files.

Mosquitto’s default protocol isn’t encrypted, which puts your MQTT-using apps at risk. Let’s nail it down with the Transport Security Layer.

@craigbrownphd: Secure Communication With TLS and the Mosquitto Broker #IoT #Cloud #BigData

MQTT is a lightweight and broadly used Internet protocol (see MQTT with lwIP and NXP FRDM-K64F Board). And probably the majority of IoT applications today are using Mosquitto as a server (or ‘broker’ in MQTT language). By default, Mosquitto uses a protocol without encryption. In Introduction to Security and TLS (Transport Layer Security), I covered the basics and needs for encryption. This article is about how to enable Mosquitto and clients to use the TLS protocol.

TLS Handshaking with certificates and keys

This article walks through the basic principles and settings to configure Mosquitto brokers and MQTT clients with the TLS (Transport Layer Security) protocol. TLS is the successor of SSL (Secure Sockets Layer) and is often used as a combination of TLS/SSL. To use TLS between the broker and the client, a set of keys and certificates has to be generated and deployed, along with configuration settings on the broker and the client.

In this article, I’m using the following set of software and tools:

See MQTT with lwip and NXP FRDM-K64F Board about how to install the above tools. On Windows, OpenSSL gets installed with the Mosquitto installer.

The steps are:

On the broker, I need the following things:

Run as administrator the following command:

Which gives:

The passphrase is used to protect the private key. The generated private file m2mqtt_ca.key looks like this and has both the private and public key:

Next, I’m creating a certificate for the CA using the key pair I created in step 1:

This generates a certificate certificate (m2mqtt_ca.crt). I have to provide an additional passphrase for the PEM (container for multiple items, see http://how2ssl.com/articles/working_with_pem_files/).

As a common name, I give the name of my host PC (which is acting as the CA for me). The generated certificate m2mqtt_ca.crt looks like this:

On Windows, I can use the Certificate viewer to inspect it:

Next, I’m creating a private key for the server (m2mqtt_srv.key) with:

The private key file looks like this:

That key we need to be certified, so we create a certificate request for it, and the certificate needs to be signed by the CA:

I’m using ‘ErichStyger-PC’ because this is the machine that will run the broker.

The last step is to sign the server request through the CA to get the broker certificate:

The output file looks like this:

This has created the following files:

Inside the Mosquitto installation, create a folder (e.g. ‘certs’ if it does not already exist) and copy the following files we have created in the previous steps:

The ca.crt belongs to the client (needs to be copied there).

Using a text editor, open and edit /mosquitto.conf:

Use port 8883 as default port:

Specify the certificate and key files:

# —————————————————————– # Certificate based SSL/TLS support # —————————————————————– # The following options can be used to enable SSL/TLS support for # this listener. Note that the recommended port for MQTT over TLS # is 8883, but this must be set manually. # # See also the mosquitto-tls man page. # At least one of cafile or capath must be defined. They both # define methods of accessing the PEM encoded Certificate # Authority certificates that have signed your server certificate # and that you wish to trust. # cafile defines the path to a file containing the CA certificates. # capath defines a directory that will be searched for files # containing the CA certificates. For capath to work correctly, the # certificate files must have “.crt” as the file ending and you must run # “c_rehash ” each time you add/remove a certificate. #capath cafile C:\Program Files (x86)\mosquitto\certs\m2mqtt_ca.crt # Path to the PEM encoded server certificate. certfile C:\Program Files (x86)\mosquitto\certs\m2mqtt_srv.crt # Path to the PEM encoded keyfile. keyfile C:\Program Files (x86)\mosquitto\certs\m2mqtt_srv.key # This option defines the version of the TLS protocol to use for this listener. # The default value allows v1.2, v1.1 and v1.0, if they are all supported by # the version of openssl that the broker was compiled against. For openssl >= # 1.0.1 the valid values are tlsv1.2 tlsv1.1 and tlsv1. For openssl < 1.0.1 the # valid values are tlsv1. tls_version tlsv1 I launch my local Mosquitto broker with the -c option pointing to the modified configuration file: This launches the broker listening on the secure port 8883: In the client (e.g. MQTT.fx), I have to load the certificate of the server: With this, I can connect to the broker in a secure way: Establishing a secure TLS connection to the Mosquitto broker requires key and certificate files. Creating all these files with the correct settings is not the easiest thing, but is rewarded with a secure way to communicate with the MQTT broker. In a next article, I plan to write about how to use TLS with lwIP and the mbedTLS library on the NXP FRDM-K64F board.

Secure Communication With TLS and the Mosquitto Broker

You might also like More from author

Comments are closed, but trackbacks and pingbacks are open.