I can connect to broker with mosquitto_sub I am using Mqtt and M2Mqtt in C#
mosquitto_sub -h {URL} -p {PORT} -t {topic} --psk {psk} --psk-identity {psk-identity} --tls-version tlsv1
I have no idea how to implement it with M2Mqtt in C#.
Do I need to generate certificate file by openssl?
Related
I am trying mtls authentication in MQTT. I am using mosquitto to achieve this. When I created a server and client certificate from the same CA then the connection was successful. But if I use a different CA for creating a client certificate then it's failing with the below message
Client null sending CONNECT
OpenSSL Error[0]: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Error: The connection was lost.
Is it mandatory to use the same CA for both client and server certificates in mtls?
Mosquitto.conf
listener 8883
certfile C:\\server.crt
keyfile C:\\server.key
require_certificate true
cafile C:\mqtt-ssl-demo\ca.crt
allow_anonymous true
Running broker using
mosquitto -c "C:\Program Files\mosquitto\mosquitto.conf"
Subscribe with a client with a certificate signed by server cert ca [SUCCESS]
mosquitto_sub --cafile C:\mqtt-ssl-demo\ca.crt -t test -d -h Computername -p 8883 --cert C:\mqtt-ssl-demo\client.crt --key C:\mqtt-ssl-demo\client.key
Subscribe with a client with a certificate signed by other ca [FAILURE]
mosquitto_sub --cafile C:\mqtt-ssl-demo\ca.crt -t test -d -h Computername -p 8883 --cert C:\mqtt-ssl-demo\otherclient.crt --key C:\mqtt-ssl-demo\otherclient.key
Created certificate using Mosquitto SSL Configuration -MQTT TLS Security
The important thing to realise here is that the CA file passed to the broker as part of it's config is used to verify the certificate of any connecting clients.
Where as the CA file passed to the client (mosquitto_sub) is used to verify the certificate the broker presents.
So if you are using different CAs then these files need to be different, it's not clear from what you've posted which CA certs you are using where.
I am trying to use TLS for communicating over mqtt. I have ubuntu installed in my system. For using TLS, I have created certificates using the below link:
http://www.embedded101.com/Blogs/PaoloPatierno/entryid/366/mqtt-over-ssl-tls-with-the-m2mqtt-library-and-the-mosquitto-broker
I am able to create certificates. I have removed bind_address from config file. I am starting mosquitto with the new config file with mosquitto -c mosquitto_m2mqtt.conf -v. Mosquitto starts, but when I run mosquitto_sub command, I am getting error as below:
mosquitto -c mosquitto_m2mqtt.conf -v
1551172930: mosquitto version 1.4.8 (build date 2016-09-21 11:21:45+0530) starting
1551172930: Config loaded from mosquitto_m2mqtt.conf.
1551172930: Opening ipv4 listen socket on port 8883.
1551172930: Opening ipv6 listen socket on port 8883.
Enter PEM pass phrase:
1551172960: New connection from 127.0.0.1 on port 8883.
1551172960: OpenSSL Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
1551172960: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
1551172960: Socket error on client <unknown>, disconnecting.
In the window that I am subscribing, I am getting error as below:
mosquitto_sub -p 8883 -q 1 -t sensor/temp --cafile /etc/mosquitto/m2mqtt_srv.crt --tls-version tlsv1 -d
Unable to connect (A TLS error occurred.).
Below are the parameters added in config file.
port 8883
cafile /etc/mosquitto/m2mqtt_ca.crt
certfile /etc/mosquitto/m2mqtt_srv.crt
keyfile /etc/mosquitto/m2mqtt_srv.key
tls_version tlsv1
mosquitto_sub and pub needs a host address or ip. For example i use test.mosquitto.org in my local, download the pem formatted certificate file from this site and added to the conf file just this certificate as "cafile". And here is my command:
mosquitto_sub -h test.mosquitto.org -t "test" -p 8883 --cafile "<pem formatted crt file path (downloaded from test.mosquitto.org)>"
Quite strange issue
I have mosquitto broker working with TLS
It is correctly accessible by an MQTTfx client set up for 'Enable SSL/TLS, TLSv1.2, CA certificate file'
The same ca.crt file is used by a openwrt mosquitto client issuing
# mosquitto_pub -h x.x.x.x -p 8883 --cafile /etc/mosquitto/certs/ca.crt -i 1.1.1.1 -t test -m 123 -d
it returns
Client 1.1.1.1 sending CONNECT
Error: A TLS error occurred.
At the orher end, the broker, shows
OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
Socket error on client (null), disconnecting.
What is messing me up is the fact that the MQTTfx client instead is accepted, and it's using the same certificate..!
New connection from y.y.y.y on port 8883.
New client connected from y.y.y.y as 180ce1c04c1944e1964608221efbcf0a (c1, k60).
Sending CONNACK to 180ce1c04c1944e1964608221efbcf0a (0)
Should mean that the certificate is valid and trusted... isn't it?
What's wrong then with the other client using the exact same certificate file ?!?!
...at the end using --insecure option did the job.
Means verification of the server hostname in the server certificate.
Well it works, although using this option in a production environment potentially invalidates the use of encryption.
I'm trying to secure the connection between the arduino pubsub client and mosquitto broker (which is running on a public server) over TLS.
Normally(on windows etc), I can publish/subscribe like bellow while giving the certificate files. (certificate and key files are in my working directory).
mosquitto_pub -h myhost.com -p 8883 -t "/test" -m "your secure message" --cafile ca.crt --cert client.crt --key client.key
mosquitto_sub -h myhost.com -p 8883 -t "/test" --cafile ca.crt --cert client.crt --key client.key
But is there a way to do this in arduino?
Your pubsub MQTT client doesn't support SSL/TLS out of the box. You can try integrating with some light weight SSL/TLS libraries.
Few Embedded SSL Libraries:
https://wolfssl.com/wolfSSL/Products-wolfssl.html
http://www.matrixssl.org/
Or you can opt for Paho MQTT Client - a prebuilt Arduino port of MQTTClient. It supports MQTT V3.1.1, SSL/TLS, QOS-2 Support etc., which are not available in pubsub client.
Don't think there's encryption availabe for normal arduino boards, at least not what I've seen. There are a few workarounds though, either you use another broker without encryption on one side (connected to the arduino) and then encryption on the other end (connected to the public broker).
The other option is to use a board that runs on linux and then call mosquitto commands from arduino code. Here's an example for the intel edison board: https://software.intel.com/en-us/blogs/2015/04/06/using-edison-securely-connect-iot-sensor-to-the-internet-with-mqtt
I got mosquitto working, using plain old TCP but i want to secure it using SSL and TLS, so i followed the following guide to create the certificates for my mosquitto broker:
https://mosquitto.org/man/mosquitto-tls-7.html
Then I added the following lines to the config file:
listener 8883
cafile /mqtt/certs/ca.crt
certfile /mqtt/certs/server.crt
keyfile /mqtt/certs/server.key
require_certificate false
But now when i try to use mosquitto_sub on another machine to try to connect to the mosquitto broker over port 8883 (TLS), i get the following error on the broker
New connection from XX.XXX.XXX.XXX on port 8883.
OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
Socket error on client <unknown>, disconnecting.
I've tried doing the mosquitto_sub the following ways:
$ mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883
$ mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt
$ mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt --cert client.crt --key client.key
And the certificates on the client side were generated based on the first link i mentioned earlier.
Anyone know why this is happening and how I can go about fixing it?
This is the good way to subscribe as you do not require client certificate :
mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt
It seems that the client fail to verify the server certificate.
You should make sure that :
ca.crt is the same on client and server side
the common name of your server certificate corresponds to its hostname
Also check if you have the same openssl version on server and client side as this error could also happen if client and server do not use a common protocol or do not share any cypher
hope it could help, else I will be interested to know how you solved this problem
Try --insecure option.
mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt --insecure