本文介绍了MQTT协议及其工作流程,重点讲解了使用mosquitto实现SSL/TLS双向认证的过程,包括服务器和客户端的证书配置、启动与连接。mosquitto作为MQTT broker,通过配置SSL/TLS实现安全的数据传输。
本文部分参考:
https://baike.baidu.com/item/MQTT/3618851?fr=aladdin
https://baike.baidu.com/item/mosquitto
一: MQTT
1.1 MQTT 介绍
MQTT(Message Queuing Telemetry Transport,消息队列遥测传输)是IBM开发的一个即时通讯协议,有可能成为物联网的重要组成部分。该协议支持所有平台,几乎可以把所有联网物品和外部连接起来,被用来当做传感器和致动器(比如通过Twitter让房屋联网)的通信协议。
MQTT协议是为大量计算能力有限,且工作在低带宽、不可靠的网络的远程传感器和控制设备通讯而设计的协议,它具有以下主要的几项特性:
1、使用发布/订阅消息模式,提供一对多的消息发布,解除应用程序耦合
2、对负载内容屏蔽的消息传输
3、使用 TCP/IP 提供网络连接
4、有三种消息发布服务质量
“至多一次”,消息发布完全依赖底层 TCP/IP 网络。会发生消息丢失或重复。这一级别可用于如下情况,环境传感器数据,丢失一次读记录无所谓,因为不久后还会有第二次发送。
“至少一次”,确保消息到达,但消息重复可能会发生。
“只有一次”,确保消息到达一次。这一级别可用于如下情况,在计费系统中,消息重复或丢失会导致不正确的结果。
5、小型传输,开销很小(固定长度的头部是 2 字节),协议交换最小化,以降低网络流量
6、使用 Last Will 和 Testament 特性通知有关各方客户端异常中断的机制
1.2 MQTT工作流
step 1. 启动 MQTT 服务器
MQTT 服务器是接受 MQTT 客户端的订阅和发布请求的网络实体。开发者可以根据 MQTT 协议规范 设计 MQTT server 和 MQTT client.通常 MQTT server 有很多开源项目提供,于是 MQTT server 默认为 MQTT broker.
MQTT broker: 即MQTT代理
a) MQTT broker 提供 MQTT server服务,处理客户端请求,发送心跳包等。
b) 提供 MQTT client 服务,提供订阅和发布的client端功能
c) 通常运行在处理能力较强的PC上或集群服务器上。
可供选择的MQTT broker有:
a) Mosquitto
b) EMQTT
c) HiveMQ等
d) 各个云平台提供的MQTT服务,如:微软云Azure-MQTT 、亚马逊云Amazon-MQTT等
在本文的二三四节,我们将使用Mosquitto 作为我们的 MQTT broker.
step 2. MQTT 客户端订阅
MQTT subscribe client 将向 MQTT broker订阅一个或者多个主题(topic).以后MQTT broker 收到MQTT publish client 发布消息后,将会向订阅了该主题的 MQTT subscribe client发布该消息。换句话说,如果没有client订阅主题,那么发布者发布消息将毫无意义;如果有很多订阅者,没有发布者,那么订阅也将毫无意义。MQTT订阅端通常是终端设备。
step 3. MQTT客户端发布消息
MQTT publish client 将向 MQTT broker 发布自己的消息,每个消息包含topic和payload.
MQTT broker 根据 topic 将消息转发给感兴趣的 client。
主题名称topic通常是一个简单的字符串,使用分层结构,使用左斜杠分隔。如 /yourhome/livingroom/temperature
有效载荷payload完全依赖于使用场景,他可以是二进制流,也可以是JSON数据。
step 4. MQTT订阅端接受数据
MQTT subscribe client将会收到MQTT broker发给它感兴趣的订阅主题的相关消息,同时进行对应处理。
实例展示
张先生承包了1000个大棚种植作物,每个大棚里面有温度控制系统,不同季节需对不同作物采用不同的温度,如何高效直观来控制这些大棚的温度呢?下面是一种可行高效的解决办法:
张先生为每个大棚配置一颗精致的WiFi芯片,比如ESP32,连接温度控制系统。ESP32支持连接微软云,和微软云交互温度数据。微软云支持MQTT协议,微软云可作为MQTT broker。
每颗ESP32作为 MQTT订阅段,订阅温度信息,比如:
subscribe /plant/peanut/UpdateTemperature以后张先生可以不用去大棚里面实际操作温度控制系统,只需要在家中,控制手机端APP,发布MQTT消息就可以控制大棚温度。比如:
MQTT publish /plant/peanut/UpdateTemperature "temperature:15"那么peanut所在大棚的ESP32通过订阅消息MQTT主题,收到15摄氏度的请求后,将这个命令,传到温度控制系统来控制大棚实际温度。同时,张先生也可以通过微软云查看所有大棚的温度变化信息等。这样,真正实现运筹帷幄家中,决胜千里之外。
二: mosquitto
mosquitto是一款很优秀的 MQTT broker.一款实现了消息推送协议 MQTT v3.1 的开源消息代理软件,提供轻量级的,支持可发布/可订阅的的消息推送模式,使设备对设备之间的短消息通信变得简单。mosquitto 即可以作为 MQTT Server,也可以作为MQTT client.
mosquitto 下载和安装:
https://mosquitto.org/download/
ubuntu16.04下可直接使用下面方式安装:
$ sudo apt-add-repository ppa:mosquitto-dev/mosquitto-ppa
$ sudo apt-get update
$ sudo apt-get install mosquitto
安装完可查看当前mosquitto版本:
$ mosquitto --help
三: mosquitto 服务器 SSL/TLS 配置
3.1 证书生成脚本
同上一篇博客相同http://blog.csdn.net/ustccw/article/details/76691248#t8,使用 makefile.sh 来产生所需的所有SSL/TLS 双向认证文件。rmfile.sh 来删除产生过的文件。
makefile.sh
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the axTLS project nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
# OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# Generate the certificates and keys for testing.
#
PROJECT_NAME="TLS Project"
# Generate the openssl configuration files.
cat > ca_cert.conf << EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
O = $PROJECT_NAME Dodgy Certificate Authority
EOF
cat > server_cert.conf << EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
O = $PROJECT_NAME
CN = 192.168.111.100
EOF
cat > client_cert.conf << EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
O = $PROJECT_NAME Device Certificate
CN = 192.168.111.101
EOF
mkdir ca
mkdir server
mkdir client
mkdir certDER
# private key generation
openssl genrsa -out ca.key 1024
openssl genrsa -out server.key 1024
openssl genrsa -out client.key 1024
# cert requests
openssl req -out ca.req -key ca.key -new \
-config ./ca_cert.conf
openssl req -out server.req -key server.key -new \
-config ./server_cert.conf
openssl req -out client.req -key client.key -new \
-config ./client_cert.conf
# generate the actual certs.
openssl x509 -req -in ca.req -out ca.crt \
-sha1 -days 5000 -signkey ca.key
openssl x509 -req -in server.req -out server.crt \
-sha1 -CAcreateserial -days 5000 \
-CA ca.crt -CAkey ca.key
openssl x509 -req -in client.req -out client.crt \
-sha1 -CAcreateserial -days 5000 \
-CA ca.crt -CAkey ca.key
openssl x509 -in ca.crt -outform DER -out ca.der
openssl x509 -in server.crt -outform DER -out server.der
openssl x509 -in client.crt -outform DER -out client.der
mv ca.crt ca.key ca/
mv server.crt server.key server/
mv client.crt client.key client/
mv ca.der server.der client.der certDER/
rm *.conf
rm *.req
rm *.srl
终端执行:
$./makefile.sh注意!
a) 将 192.168.111.100 改为你自己的 server 地址
b) 将 192.168.111.101 改为你自己的 client 地址
c) 生成的证书路径需提供给3.2节中 mosquitto.conf 配置
本地生成双向认证的证书和私钥文件。
rmfile.sh
rm ca/ -rf
rm certDER/ -rf
rm client/ -rf
rm server/ -rf$./rmfile.sh删除产生过的TLS相关文件。
3.2 mosquitto.conf 配置
mosquitto配置文件 mosquitto.conf 可以丰富的配置 MQTT broker,如配置 keep-alive时间,配置服务器端口号等。
通常mosquitto安装完,配置文件在 /etc/mosquitto/mosquitto.conf。
如果您没有此文件,需将下面配置文件放在 /etc/mosquitto/ 目录下。
mosquitto.conf
# Config file for mosquitto
#
# See mosquitto.conf(5) for more information.
#
# Default values are shown, uncomment to change.
#
# Use the # character to indicate a comment, but only if it is the
# very first character on the line.
# =================================================================
# General configuration
# =================================================================
# Time in seconds to wait before resending an outgoing QoS=1 or
# QoS=2 message.
#retry_interval 20
# Time in seconds between updates of the $SYS tree.
# Set to 0 to disable the publishing of the $SYS tree.
#sys_interval 10
# Time in seconds between cleaning the internal message store of
# unreferenced messages. Lower values will result in lower memory
# usage but more processor time, higher values will have the
# opposite effect.
# Setting a value of 0 means the unreferenced messages will be
# disposed of as quickly as possible.
#store_clean_interval 10
# Write process id to a file. Default is a blank string which means
# a pid file shouldn't be written.
# This should be set to /var/run/mosquitto.pid if mosquitto is
# being run automatically on boot with an init script and
# start-stop-daemon or similar.
#pid_file
# When run as root, drop privileges to this user and its primary
# group.
# Leave blank to stay as root, but this is not recommended.
# If run as a non-root user, this setting has no effect.
# Note that on Windows this has no effect and so mosquitto should
# be started by the user you wish it to run as.
#user mosquitto
# The maximum number of QoS 1 and 2 messages currently inflight per
# client.
# This includes messages that are partway through handshakes and
# those that are being retried. Defaults to 20. Set to 0 for no
# maximum. Setting to 1 will gua
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
