Mosquitto---SSL/TLS one-way authentication + bidirectional authentication

Source: Internet
Author: User
Tags openssl x509 sha1

Generate certificate
# * redistributions in binary form must reproduce the above copyright #   Notice, this list of conditions and th E following disclaimer in the #   documentation and/or other materials provided with the distribution. # * Neither the name of the AXTLS project nor the names of its #   contributors could be used to endorse or promot E products derived #   from this software without specific prior written permission. # This software are provided by the COPYRIGHT holders and CONTRIBUTORS # "as are" and any EXPRESS OR implied warranties, I Ncluding, but not # LIMITED to, the implied warranties of merchantability and FITNESS for # A particular PURPOSE is DISCL Aimed. In NO EVENT shall the COPYRIGHT OWNER OR # CONTRIBUTORS is liable for any DIRECT, INDIRECT, incidental, # Special, Exempla RY, or consequential damages (including, but not LIMITED # to, procurement of substitute GOODS OR SERVICES; LOSS of Use, # DATA, OR profits; OR business Interruption) howevercaused and on any theory # of liability, WHETHER in contract, STRICT liability, or TORT (including # negligence or Otherwi SE) arising in any-out-of-the-software, even IF advised of the possibility of SUCH DAMAGE. # # # # Generate the certificates and keys for testing. # project_name= "TLS PROJECT" # Generate the OpenSSL configuration files. Cat > Ca_cert.conf << eof  [req] distinguished_name     = Req_distinguished_name Prom pt                 = no [req_ Distinguished_name]  O                       = $PROJECT _name dodgy Certificate Authority EOF cat > Server_cert.conf &lt ;< eof  [req] distinguished_name     = Req_distinguished_name prompt   & Nbsp;             = no [Req_distinguished_name]  o        & nbsp;             = $PROJECT _name  CN                       = 192.168.111.100 EOF cat > Client_cert.conf << eof  [req] Distinguished_name   &n Bsp = Req_distinguished_name prompt                  = no [Req_distinguished_name]  O                       = $PROJECT _name Device Certificate   cn                      = 192.168.111.101 EOF mkdir CA mkdir server mkdir client mkdir certder # PRIvate key generation OpenSSL genrsa-out Ca.key 1024x768 OpenSSL genrsa-out server.key 1024x768 OpenSSL genrsa-out client.key 10 # cert requests OpenSSL req-out Ca.req-key ca.key-new          &nbsp ; -config./ca_cert.conf OpenSSL req-out server.req-key server.key-new       &nbs p;    -config./server_cert.conf OpenSSL req-out client.req-key client.key-new   &nbsp ;        -config./client_cert.conf # Generate the actual certs. OpenSSL x509-req-in ca.req-out ca.crt            -sha1-days 5000-signkey ca.key OpenSSL x509-req-in server.req-out server.crt &NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&N bsp;  -sha1-cacreateserial-days             -CA Ca.crt-cakey Ca.key OpenSSL x509-req-in Client.req-out CLIENT.CRT            -sha1-cacreateserial  -days            -ca ca.crt-cakey ca.key OpenSSL x509-in Ca.crt-outform der-out ca.der OpenSSL x509-in server.crt-outform der-out server.der OpenSSL x509-in client.crt-out Form der-out client.der mv ca.crt ca.key ca/mv server.crt server.key server/mv client.crt client.key client/mv ca. Der Server.der client.der certder/rm *.conf RM *.req RM *.SRL

  

Save the above code as makefile.sh

Make the following changes, terminal execution.

    • Modify the IP address of the CN domain in the IP address of your host/device

    • [optional] number of encryption bits 1024 modified to the number of encryption bits you need

CA School Verification Certificate test

Perform the following tests to verify that the certificate is available:

$openssl verify-cafile ca/ca.crt server/server.crt$openssl verify-cafile ca/ca.crt client/client.crt

The results are as follows:

Configure single/bidirectional authentication

Step 1. Enter the configuration file

sudo vim/etc/mosquitto/mosquitto.conf

Step 2. Locate the default listener, under which the following configuration

Find the certificate based SSL/TLS support field again.

That

Port 8883cafile/etc/mosquitto/ca/ca.crtcertfile/etc/mosquitto/ca/server/server.crtkeyfile/etc/mosquitto/ca/ Server/server.keyrequire_certificate Trueuse_identity_as_username True

  

Configure the check file path according to your own path, this is to put the file under/etc/mosquitto/ca/

Attention!!!

Depending on one-way authentication and two-way authentication, the fields that may need to be modified are:

A) port 8883//MQTT server will select this ports listen

b) cafile/etc/mosquitto/ca/ca.crt

Two-way authentication must be configured as your CA certificate

One-way authentication (usually considered a client-verified server certificate, hereinafter) optional configuration

In one-way authentication, the server and client CA configurations must be consistent. That is, if server configures CA.CRT, the client must be configured with CA.CRT, the server does not configure CA.CRT, and the client is not configurable CA.CRT

The path must be an absolute path! !!

c) CERTFILE/ETC/MOSQUITTO/CA/SERVER/SERVER.CRT

Both single and bidirectional authentication must be configured as your server certificate

D) Keyfile/etc/mosquitto/ca/server/server.key

Both single and bidirectional authentication must be configured as your server private key

e) Require_certificate True

One-way authentication needs to be set to false, note this line, and the default is False

Bidirectional authentication must be configured to True

f) Use_identity_as_username True

One-way authentication is set to FALSE, note this line, and the default is False

Bidirectional authentication is usually set to True

As can be seen from the above, the difference between the two-way and single authentication is that, in addition to the need for one-way SSL authentication required CA certificate, server-side public and private key certificate, but also need to open the following two switches.

Require_certificate Trueuse_identity_as_username True

  

 

Restart Service

Mosquitto-c/etc/mosquitto/mosquitto.conf

If prompted port is occupied, first PS out Mosquitto, and then kill off

Ps-aux | grep "Mosquitto" kill-9 XXXXX
Single bidirectional switching

One-way authentication requires only two lines of comment:

#require_certificate True#use_identity_as_username True

As follows:

Port 8883cafile/etc/mosquitto/ca/ca/ca.crtcertfile/etc/mosquitto/ca/server/server.crtkeyfile/etc/mosquitto/ca/ Server/server.key

Open single-way authentication at the same time

Step 1.

First, the/etc/mosquitto/mosquitto.conf file is configured by default to open two-way authentication, and then find the Extra listener field

Configure as follows to open another port for one-way authentication

Step 2.

Then locate the certificate based SSL/TLS support field under this field

 

Step 3: Restart the service

Mosquitto-c/etc/mosquitto/mosquitto.conf

Verify

Step 1. Go to the CA certificate directory:

Step 2. Bidirectional:

Terminal One: Subscription

Mosquitto_sub-h 10.30.11.47-  p 8883-t "Mqtt/server/topic"--cafile./ca/ca.crt--cert./client/client.pem--key./C Lient/client.key &

Terminal two: Release

Mosquitto_pub-h 10.30.11.47-  p 8883-t "Mqtt/server/topic"-M "hello,world!"--cafile./ca/ca.crt--cert./server/se Rver.pem--key./server/server.key

  

Step 3. Unidirectional

Terminal One: Subscription

Mosquitto_sub-h 10.30.11.47  -P 8884-t "Mqtt/server/topic"--cafile./CA/CA.CRT &

  

Terminal two: Release

Mosquitto_pub-h 10.30.11.47  -P 8884-t "Mqtt/server/topic"-M "hello,world!"--cafile./ca/ca.crt

  

Mosquitto---SSL/TLS one-way authentication + bidirectional authentication

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.