Security is a very important aspect for MQTT brokers. In a previous article you’ve already learned how to implement authentication and authorization. The weakness in that configuration was that credentials were transmitted in cleartext; it was therefore possible, for an attacker who can sniff the network traffic, to read and use them to impersonate a legitimate client.
Today I’ll show you how to encrypt the communication channel between client and broker using SSL certificates. I’ll also explain how to write a program for the esp32 chip to send data to the broker using the secure channel…
To be able to encrypt the communication, mosquitto requires a server certificate.
First generate the private key (RSA with a length at least 2048 bits):
openssl genrsa -out mosquitto.key 2048
Then create the CSR file:
openssl req -new -out mosquitto.csr -key mosquitto.key
type the required information; the most important of which is the common name that will identify the server:
Now sign the CSR file with your Certificate Authority (or send it to a public / corporate CA) to generate the certificate:
openssl ca -config openssl.cnf -extensions server_cert -notext -in mosquitto.csr -out mosquitto.cer
Create the ssl subfolder in the folder where you installed mosquitto and copy into that folder the certificate, its private key and the certificate of the CA:
Open the mosquitto.conf file and add the following lines:
The first line changes the TCP port mosquitto is normally listening to (1883) to the default port for SSL connection, 8883.
The following 3 lines set the path for server and CA certificates and for the private key that corresponds to the server certificate. The last one, which is not compulsory, forces the use of the TLS v1.2 protocol, the most secure one at the moment of writing.
Once the server has been configured, you can start it (-v is to enable the verbose output):
mosquitto.exe -c mosquitto.conf -v
To be able to use the mosquitto_pub and mosquitto_sub tools, you now have to add new parameters:
mosquitto_sub.exe -p 8883 -t test --cafile .\ssl\ca.cer --insecure mosquitto_pub.exe -p 8883 -m 20 -t test --cafile .\ssl\ca.cer --insecure
With -p you specify the TCP port of the server, with –cafile the path of the CA certificate which signed the server certificate mosquitto uses and finally with –insecure you configure the two clients not to verify that the certificate’s common name (in my example mymosquitto.local) corresponds to the server name.
Tuan PM developed a library (espmqtt) for the esp-idf framework that implements a complete MQTT client. Moreover, the library does support secure connections, you can therefore use it to connect to an MQTT broker with TLS enabled.
Copy the content of the Github repository in the components folder of your project and include the library’s header file in your source code:
The MQTT client is configured using the mqtt_settings struct:
The most important parameters are:
- the server (host) that runs the MQTT broker (you can use the IP address or the DNS name)
- the TCP port (port) the server is listening to (default is 1883 or 8883 if SSL is enabled)
- username and password if the server requires authentication
- one or more callback functions the espmqtt library will call when the corresponding event occurs
Your program can interact with the MQTT client implementing its callback functions.
For example the connection or disconnection from the MQTT server occurs as follows:
The connect_cb and disconnect_cb functions perform the “real” connection and disconnection, while connected_cb and disconnected_cb functions are executed after the corresponding activity is completed (= the client successfully connected to the server). Your program usually doesn’t need to re-implement the main functions, but will implement the ones related to events, to execute actions (for example subscribe a topic) when a specific event occurs.
After having configured the client, you can run it with:
Once connected to the server (connected_cb callback function) you can subscribe or unsubscribe a topic with:
void mqtt_subscribe(mqtt_client *client, const char *topic, uint8_t qos); void mqtt_unsubscribe(mqtt_client *client, const char *topic);
and publish data to a topic with:
void mqtt_publish(mqtt_client* client, const char *topic, const char *data, int len, int qos, int retain);
I prepared an example to show my esp32 devboard sending data to a mosquitto server, with SSL enabled.
I connected to the devboard an HTU21D sensor as explained in a previous article and my program reads, every 5 seconds, the temperature and humidity values and sends them to the broker. I used a very handy opensource program, HelloIoT, to create a dashboard and display the received data.
The source code of the program and the configuration of the HelloIoT dashboard are available in my Github repository; here’s a short video of the demo: