一:SSL/TLS是什么?
SSL“安全套接层”协议,TLS“安全传输层”协议,都属于是加密协议,在其网络数据传输中起到保护隐私和数据的完整性。保证该网络传输的信息不会被未经授权的元素拦截或修改,从而确保只有合法的发送者和接收者才能完全访问并传输信息。
SSL/TLS单向认证:客户端会认证服务器端身份,服务器端不对客户端进行认证。
SSL/TLS双向认证:客户端和服务端都会互相认证,即双发之间要证书交换。
二:在MQTT中使用SSL/TLS
1:安装mosquitto及相关组件
sudo apt-get install mosquitto mosquitto-clients mosquitto-dev
有关mosquitto的内容可以查看上条博文:MQTT以及mosquitto的学习_Wypp1的博客-CSDN博客
2: 在/etc/mosquitto路径下编写脚本,名为tsl.sh,内容如下:(注:ip需要改成自己的ip)
#! /bin/bash
#
# Generate the certificates and keys for testing.
#
PROJECT_NAME="MQTT TLS Project"
# Generate the openssl configuration files.
cat > ca_cert.conf << EOF
[ req ]
distinguished_name = CA_DH
prompt = no
[ CA_DH ]
O = $PROJECT_NAME Dodgy Certificate Authority
EOF
cat > server_cert.conf << EOF
[ req ]
distinguished_name = SERVER_DH
prompt = no
[ SERVER_DH ]
O = $PROJECT_NAME
CN = 192.168.0.7
EOF
cat > client_cert.conf << EOF
[ req ]
distinguished_name = CLIENT_DH
prompt = no
[ CLIENT_DH ]
O = $PROJECT_NAME Device Certificate
CN = 192.168.0.7
EOF
mkdir ca
mkdir server
mkdir client
mkdir certPEM
# private key generation
openssl genrsa -out ca.key 2048
openssl genrsa -out server.key 2048
openssl genrsa -out client.key 2048
# cert requests
openssl req -out ca.req -key ca.key -new \
-config ./ca_cert.conf
openssl req -out server.req -key server.key -new \
-config ./server_cert.conf
openssl req -out client.req -key client.key -new \
-config ./client_cert.conf
# generate the actual certs.
openssl x509 -req -in ca.req -out ca.crt \
-sha512 -days 3650 -signkey ca.key
openssl x509 -req -in server.req -out server.crt \
-sha512 -CAcreateserial -days 3650 \
-CA ca.crt -CAkey ca.key
openssl x509 -req -in client.req -out client.crt \
-sha512 -CAcreateserial -days 3650 \
-CA ca.crt -CAkey ca.key
# verify the certs
openssl verify -CAfile ca.crt client.crt
openssl verify -CAfile ca.crt server.crt
openssl x509 -in ca.crt -outform PEM -out ca.pem
openssl x509 -in server.crt -outform PEM -out server.pem
openssl x509 -in client.crt -outform PEM -out client.pem
mv ca.crt ca.key ca/
mv server.crt server.key server/
mv client.crt client.key client/
mv ca.pem server.pem client.pem certPEM/
rm *.req
rm *.srl
3.运行上述脚本
chomd +x tls.sh
4.生成如下文件:
5.编写mosquitto.conf文件,内容如下(注:使用openssl version命令查看版本,mosquitto_pub和mosquitto_sub的tls版本默认为tlsv1.2,本虚拟机中openssl的版本是1.1.1,在此处mosquitto.conf中配置为tls_version tlsv1.1,避免出现tls版本错误)
password_file /etc/mosquitto/pwfile.txt
allow_anonymous false
listener 1883
cafile /etc/mosquitto/ca/ca.crt
certfile /etc/mosquitto/server/server.crt
keyfile /etc/mosquitto/server/server.key
require_certificate true
tls_version tlsv1.1
此配置文件指定了密码文件,不能匿名登陆,require_certificate true表示使用双向认证。
mosquitto_passwd /etc/mosquitto/pwfile.txt tianning
使用上述命令设置密码
三:实验测试
1.开启服务器
mosquitto -c /etc/mosquitto/mosquitto.conf //开启服务器。
2.输入下列命令测试
mosquitto_pub -h 192.168.0.7 -p 1883 -t "Hello" -m "hello sub" --tls-version tlsv1.1 --cafile ./ca/ca.crt
mosquitto_sub -h 192.168.0.7 -p 1883 -t "Hello" --tls-version tlsv1.1 --cafile ./ca/ca.crt
3.连接成功