mosquitto install with ssl

最新推荐文章于 2024-05-05 09:07:26 发布
最新推荐文章于 2024-05-05 09:07:26 发布
阅读量1.1k 收藏 1
点赞数

http://lukse.lt/uzrasai/2015-02-internet-of-things-messaging-mqtt-1-installing-mosquitto-server/

Install some libraries and tools

apt-get update
apt-get install pkg-config cmake openssl libc-ares-dev libssl-dev python-mosquitto

Then install mosquitto from sources (please double check that you will be installing latest version). Of course you can install it on other operating systems and platforms (OSX, Windows, Openwrt, Various Linux, Raspberry) using prepared setup files.

wget http://mosquitto.org/files/source/mosquitto-1.3.5.tar.gz
tar xzf mosquitto-1.3.5.tar.gz
cd mosquitto-1.3.5
cmake .
make install

Pretty easy. Mosquitto is installed and should be ready to serve. Interesting part comes next – if secure messaging using SSL or TLS is need, you will need to generate certificates.

Edit configuration file

Make some adjustments to configuration file, there are more settings to adjust, but I provide only basic set

mkdir /etc/mosquitto/conf.d/certs
nano /etc/mosquitto/conf.d/mosquitto.conf

Here is how my configuration looks like

allow_anonymous false
autosave_interval 1800
connection_messages true
log_dest stderr
log_dest topic
log_type error
log_type warning
log_type notice
log_type information
log_type all
log_type debug
log_timestamp true
password_file /etc/mosquitto/conf.d/jp.pw
acl_file /etc/mosquitto/conf.d/jp.acl
persistence true
persistence_location /tmp/
persistence_file mosquitto.db
persistent_client_expiration 1m
retained_persistence true
listener 1883 127.0.0.1
listener 8883
tls_version tlsv1
cafile /etc/mosquitto/conf.d/certs2/ca.crt
certfile /etc/mosquitto/conf.d/certs2/server.crt
keyfile /etc/mosquitto/conf.d/certs2/server.key
require_certificate false
allow_anonymous false

SSL key generation

Go to certificated directory, I have prepared earlier and run few commands. You will be asked to enter some data. There are few tricky parts:

  • If your certificate will be used on local machine without valid hostname (i.e. only IP address), you must use special settings in your program to make it a bit less secure (don’t check hostname). Though connection still be encrypted.
  • Don’t set -days xxxx to big – certificate will be invalid and you might get strange errors.
cd /etc/mosquitto/conf.d/certs/
openssl req -new -x509 -days 1000 -extensions v3_ca -keyout ca.key -out ca.crt

    > Generating a 2048 bit RSA private key
    > .....................................................................................+++
    > ..+++
    > writing new private key to 'ca.key'
    > Enter PEM pass phrase:123
    > Verifying - Enter PEM pass phrase:123
    > -----
    > You are about to be asked to enter information that will be incorporated
    > into your certificate request.
    > What you are about to enter is what is called a Distinguished Name or a DN.
    > There are quite a few fields but you can leave some blank
    > For some fields there will be a default value,
    > If you enter '.', the field will be left blank.
    > -----
    > Country Name (2 letter code) [AU]:LT
    > State or Province Name (full name) [Some-State]:
    > Locality Name (eg, city) []:Vilnius
    > Organization Name (eg, company) [Internet Widgits Pty Ltd]:lukse.lt
    > Organizational Unit Name (eg, section) []:
    > Common Name (e.g. server FQDN or YOUR name) []:lukse.lt
    > Email Address []:e@mail.com
openssl genrsa -des3 -out server.key 2048

    > Generating RSA private key, 2048 bit long modulus
    > ............................................................................................................+++
    > ..............+++
    > e is 65537 (0x10001)
    > Enter pass phrase for server.key:123
    > Verifying - Enter pass phrase for server.key:123
openssl genrsa -out server.key 2048

    > Generating RSA private key, 2048 bit long modulus
    > ....................................................................+++
    > ................................................+++
    > e is 65537 (0x10001
openssl req -out server.csr -key server.key -new

    > You are about to be asked to enter information that will be incorporated
    > into your certificate request.
    > What you are about to enter is what is called a Distinguished Name or a DN.
    > There are quite a few fields but you can leave some blank
    > For some fields there will be a default value,
    > If you enter '.', the field will be left blank.
    > -----
    > Country Name (2 letter code) [AU]:LT
    > State or Province Name (full name) [Some-State]:
    > Locality Name (eg, city) []:Vilnius
    > Organization Name (eg, company) [Internet Widgits Pty Ltd]:lukse.lt
    > Organizational Unit Name (eg, section) []:
    > Common Name (e.g. server FQDN or YOUR name) []:lukse.lt
    > Email Address []:e@mail.com
    > 
    > Please enter the following 'extra' attributes
    > to be sent with your certificate request
    > A challenge password []:123
    > An optional company name []:
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000

    > Signature ok
    > subject=/C=LT/ST=Some-State/L=Vilnius/O=lukse.lt/CN=lukse.lt/emailAddress=e@mail.com
    > Getting CA Private Key
    > Enter pass phrase for ca.key:123

 This is it. We can run secured mosquitto now. Just to test I will run it in verbose mode.

service mosquitto stop
/usr/sbin/mosquitto -v -c /etc/mosquitto/mosquitto.conf

If you see output like this, everyting is good and you are ready to dig deeper.

root@397063:/home/mqtt/remote_shell# /usr/sbin/mosquitto -v -c /etc/mosquitto/mosquitto.conf
1424034500: mosquitto version 1.3.5 (build date 2014-10-18 00:28:57+0000) starting
1424034500: Config loaded from /etc/mosquitto/mosquitto.conf.
1424034500: Opening ipv4 listen socket on port 1883.
1424034500: Opening ipv4 listen socket on port 8883.
1424034500: Opening ipv6 listen socket on port 8883.

User managing

Mosquitto has built in features to manage users. It uses two config files: jp.pw – for managing passwords and jp.acl – for access level configuration.

Passwords

To create new user

mosquitto_passwd /etc/mosquitto/conf.d/jp.pw test
    > Password: secret
    > Reenter password: secret

To delete user

mosquitto_passwd -D /etc/mosquitto/conf.d/jp.pw test

Password file looks like

root@397063:/etc/mosquitto/conf.d# cat /etc/mosquitto/conf.d/jp.pw                    
test1:$6$GWjNhmdRHTBKTwx0gIAWwerH0epp4Wb6q4sam7AhUAwboIdDVUhI9NiV32sY9rzhS7DlrznhOkUF/2pb4GOg5O4dhcCB2tAwlb/hmoQ==
test2:$6$v61hb9FpQ53KS0jZ$m94VacLuKntD/Fhqi9Sw9gBWPMDVQo76ZnznIvm0C3G0XVNfysĖhNFEVlIWByJt9Bq41reBHrx4yYbxmu5aNjLXEVw==

Access level

This file jp.acl must be eddited by hand, and sample file looks like

root@397063:/etc/mosquitto/conf.d# cat jp.acl 

# anonymus access
topic read $SYS/#
topic test/#

user test1
topic write zz/#
topic read zz/#

Enable and start service

After installing mosquitto server, creating SSL keys, configuring users you are ready to start MQTT server with these commands

service mosquitto enable
service mosquitto start
a358763471
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
openssl配合mosquitto
12-06
openssl配合mosquitto使用,解决计算机丢失libcrypto-1_1-x64.dll问题
mosquitto的openssl的配置
myahuang的博客
07-22 660
用Openssl生成私钥或者其他证书认证时,经常弹出can't open openssl.cnf之类的错误,首先在openssl的安装目录里查看是否有.cnf文件,如果没有需要重新安装,一般openssl有完整版和轻量级版两种,完整版有openssl.cnf文件,安装完整版完毕后在系统环境变量里新建一个OPENSSL_CONF,值为openssl.cnf的完整路径和名称,比如C:\Program Files\OpenSSL-Win64\bin\cnf\openssl.cnf。点击确定后,必须重新启动才有效。
Windows系统下安装Mosquitto的步骤(7)
最新发布
phmatthaus的专栏
05-05 1081
Windows系统下安装Mosquitto的步骤(7)
mosquitto使用与openssl证书配置
sy84436446的博客
01-06 2524
mosquitto使用与openssl证书配置
mosquitto项目实战二三事(2):mosquitto + openssl
Mr.Sugarcane
07-29 960
加密是保证数据安全的重要手段之一,大多数的mqtt项目,mosquitto也好,emqx也罢,zeroMQ等等,都为我们提供了openssl的数据加密支持,大大的提高了数据在经由mqtt传输过程中的安全性。 一、 openssl下载 curl https://www.openssl.org/source/openssl-1.1.0l.tar.gz -o openssl-1.1.0l.tar.gz sudo mv openssl-1.1.0l.tar.gz /usr/local sudo tar -xzvf
mosquitto消息队列 win64位程序编译库(已包含ssl模块)
01-06
mosquitto消息队列 win64位程序编译库(已包含ssl模块) 不是win32程序库,win32的看我另一个上传资源,本资源包含了(ssl + pthread的模块 ),网上资源说什么64位的都是假的,实质还是32位的库,说64位电脑能用32位的程序就打个关键字叫64位,那不是废话。 本人用cmake转成vs工程编译出来的,有点费劲加上了ssl模块和thread模块,验证功能都没问题。用的mosquitto版本1.4.12源码编译
Python pip installSSL异常处理操作
09-16
### Python pip installSSL异常处理操作 在使用Python进行包管理的过程中,经常需要用到`pip`这一工具来安装各种第三方库。然而,在某些情况下,开发者可能会遇到与SSL证书验证相关的错误,尤其是在网络环境较为...
mosquitto-2.0.14-install-windows-x64.exe
12-28
MQTT服务器mosquitto-2.0.14-install-windows-x64.exe
mosquitto-1.6.9-install-windows-x64.exe
04-24
Mosquitto是一个开源(BSD许可证)的消息代理,实现MQTT(消息队列遥测传输)协议版本3.1。 MQTT(MQ Telemetry Transport),消息队列遥测传输协议,轻量级的发布/订阅协议,适用于一些条件比较苛刻的环境,进行低带宽...
mosquitto-2.0.11-install-windows-x64.exe
07-08
mqtt windows服务器
Android MQTT客户端使用SSL/TLS连接MQTT代理服务器
weixin_34357267的博客
02-27 389
为什么80%的码农都做不了架构师?>>> ...
Mosquito使用SSL/TLS进行安全通信时的使用方法
热门推荐
逍遥子曰:
04-22 3万+
1、 SSL简介 SSL(SecureSocket Layer)安全套接层,是网景公司提出的用于保证Server与client之间安全通信的一种协议,该协议位于TCP/IP协议与各应用层协议之间,即SSL独立于各应用层协议,因此各应用层协议可以透明地调用SSL来保证自身传输的安全性,SSL与TCP/IP协议及其其他应用层协议之间的关系如图1所示。  图1 SSL/TLS协议与应用层
Mosquitto服务器的搭建以及SSL/TLS安全通信配置
weixin_34221332的博客
05-07 832
1、 SSL简介 SSL(SecureSocket Layer)安全套接层,是网景公司提出的用于保证Server与client之间安全通信的一种协议,该协议位于TCP/IP协议与各应用层协议之间,即SSL独立于各应用层协议,因此各应用层协议可以透明地调用SSL来保证自身传输的安全性,SSL与TCP/IP协议及其其他应用层协议之间的关系如图...
mosquitto SSL配置
zhaozhencn的专栏
08-07 2787
mosquitto.conf port 8883 cafile /home/ubuntu/ca/ca.crt certfile /home/ubuntu/ca/server.crt keyfile /home/ubuntu/ca/server.key ca directory: /home/ubuntu/ca ca openssl genrsa -des3 -...
mosquitto加密SSL通信 ----我的笔记(4.2)
fh15138451783的博客
11-14 2226
在掌握了mosquitto 的通信过程之后我们进一步掌握加密通信 首先,先安装openssl 输入命令 apt-get install   openssl-devel 如果版本不对,没法安装的话:一般记得最多的好像是关联,依赖什么的问题 那么我们就使用aptitude软件包管理器  安装aptitude sudo apt-get install aptitude apt-g
基于Openwrt系统的mosquitto移植与使用
lly_3485390095的博客
07-31 2344
一、移植mosquitto 进入openwrt,make menuconfig选择Libraries选中libmosquitto-nossl和libncurses,保存退出。再选择Network选中mosquitto,保存退出,然后make V=99。 二、mosquitto的使用 经过编译以后,我们在/openwrt-hiwooya/build_dir/target-mipsel_24kec+dsp_uClibc-0.9.33.2/mosquitto-nossl/mos...
ubuntu18.04系统mqtt+tls服务器搭建——mosquitto配置
02-11 3365
前言 设备端调试mqtt+ssl的功能,由于没有现成的服务器接入使用,考虑使用本地ubuntu安装mosquitto服务来进行,加快调试进度 如有异议,请指正 安装mosquitto 引入mosquitto仓库 sudo apt-add-repository ppa:mosquitto-dev/mosquitto-ppa 更新软件包 sudo apt-get update 安装mosquitto sudo apt-get install mosquitto-clients -y 证书生成 open
mosquitto ---配置SSL/TLS
weixin_33782386的博客
10-20 489
在服务器电脑上面创建myCA文件夹, 如在/home/qa/ 文件夹下使用命令, mkdir myCA  然后执行以下命令,我们将创建并使用其他用户没有权限访问的目录。 sudo chmod 700cd myCA   进入myCA文件夹,然后执行以下命令下载生成证书用的脚本。 wget https://github.com/owntracks/tools/raw/master/TLS/...
订阅mosquitto服务器状态各主题
qhdcsj的专栏
03-25 1万+
MQTT客户端可以通过订阅位于$SYS层次下的主题来查看mosquitto服务器的状态信息。标记为Static的主题对于每一次订阅只发布一次。其它所有主题每隔sys_interval(在mosquitto.conf文件中配置)秒更新发布。如果sys_interval设置为0,系统就不发布更新。 $SYS中各主题说明如下: $SYS/broker/bytes/received 自服务器启动以来
pip install 报错SSl
03-08
当在使用pip install命令时,如果出现SSL错误,通常是由于网络连接问题或者缺少必要的SSL证书导致的。以下是一些可能的解决方法: 1. 确保你的网络连接正常:首先检查你的网络连接是否正常,确保你可以正常访问互联网。 2. 更新pip版本:使用以下命令更新pip到最新版本: ``` pip install --upgrade pip ``` 3. 使用--trusted-host参数:尝试使用--trusted-host参数来安装包,例如: ``` pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org package_name ``` 4. 指定源地址:尝试指定使用非https的源地址来安装包,例如: ``` pip install --index-url=http://pypi.python.org/simple/ --trusted-host pypi.python.org package_name ``` 5. 更新SSL证书:如果以上方法都无效,可能是由于缺少或过期的SSL证书导致的。你可以尝试更新你的操作系统上的SSL证书。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值