Securing arduino to mosquitto connection with TLS - ssl

I'm trying to secure the connection between the arduino pubsub client and mosquitto broker (which is running on a public server) over TLS.
Normally(on windows etc), I can publish/subscribe like bellow while giving the certificate files. (certificate and key files are in my working directory).
mosquitto_pub -h myhost.com -p 8883 -t "/test" -m "your secure message" --cafile ca.crt --cert client.crt --key client.key
mosquitto_sub -h myhost.com -p 8883 -t "/test" --cafile ca.crt --cert client.crt --key client.key
But is there a way to do this in arduino?

Your pubsub MQTT client doesn't support SSL/TLS out of the box. You can try integrating with some light weight SSL/TLS libraries.
Few Embedded SSL Libraries:
https://wolfssl.com/wolfSSL/Products-wolfssl.html
http://www.matrixssl.org/
Or you can opt for Paho MQTT Client - a prebuilt Arduino port of MQTTClient. It supports MQTT V3.1.1, SSL/TLS, QOS-2 Support etc., which are not available in pubsub client.

Don't think there's encryption availabe for normal arduino boards, at least not what I've seen. There are a few workarounds though, either you use another broker without encryption on one side (connected to the arduino) and then encryption on the other end (connected to the public broker).
The other option is to use a board that runs on linux and then call mosquitto commands from arduino code. Here's an example for the intel edison board: https://software.intel.com/en-us/blogs/2015/04/06/using-edison-securely-connect-iot-sensor-to-the-internet-with-mqtt

Related

MQTT MTLS connection with different CA

I am trying mtls authentication in MQTT. I am using mosquitto to achieve this. When I created a server and client certificate from the same CA then the connection was successful. But if I use a different CA for creating a client certificate then it's failing with the below message
Client null sending CONNECT
OpenSSL Error[0]: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Error: The connection was lost.
Is it mandatory to use the same CA for both client and server certificates in mtls?
Mosquitto.conf
listener 8883
certfile C:\\server.crt
keyfile C:\\server.key
require_certificate true
cafile C:\mqtt-ssl-demo\ca.crt
allow_anonymous true
Running broker using
mosquitto -c "C:\Program Files\mosquitto\mosquitto.conf"
Subscribe with a client with a certificate signed by server cert ca [SUCCESS]
mosquitto_sub --cafile C:\mqtt-ssl-demo\ca.crt -t test -d -h Computername -p 8883 --cert C:\mqtt-ssl-demo\client.crt --key C:\mqtt-ssl-demo\client.key
Subscribe with a client with a certificate signed by other ca [FAILURE]
mosquitto_sub --cafile C:\mqtt-ssl-demo\ca.crt -t test -d -h Computername -p 8883 --cert C:\mqtt-ssl-demo\otherclient.crt --key C:\mqtt-ssl-demo\otherclient.key
Created certificate using Mosquitto SSL Configuration -MQTT TLS Security
The important thing to realise here is that the CA file passed to the broker as part of it's config is used to verify the certificate of any connecting clients.
Where as the CA file passed to the client (mosquitto_sub) is used to verify the certificate the broker presents.
So if you are using different CAs then these files need to be different, it's not clear from what you've posted which CA certs you are using where.

using mosquitto_sub with --insecure

Right now I have to do an initial test of a mqtt broker (ssl).
However right now I don't have the valid truststore certificates, however I would like to test the basic connectivity, ignoring SSL errors regarding hostname verification, certificate validation etc.
Unfortunately I am not successful, even with a broker I know it's working.
What I'm doing:
mosquitto_sub -h the_host -p 8883 -t '#' -v -u myUser -P myPass --insecure -d --capath /etc/ssl/certs
According to the manpage I just use the --capath to identify it's a TLS connection, well knowing that the necessary root certificate is not available here.
What I get is this:
Client mosqsub|11262-csbox sending CONNECT
Error: A TLS error occurred.
Any idea what I'm doing wrong?
Using --insecure just disables the verification of the hostname in the certificate presented by the broker. It does not remove the need to have a copy of the CA certificate that signed the brokers certificate.
So if /etc/ssl/certs doesn't contain a matching CA certificate then the connection will fail.
If needed you should be able to use something like openssl s_client to download the certificate chain directly from the broker, you can then point to that file with the --cafile option instead of the --capath option.

Mosquitto TLS/SSL SSL3_READ_BYTES: ssl handshake failure, Error: Success and sslv3 alert

I tried following the guide shown by mosquitto but once I launch the mosquitto
mosquitto -c mosquitto.conf
which defines port, location of ca.crt, server.crt, server.key
then I followed similar step using the same CA file, to sign the client key and certificate.
Then launched client
mosquitto_pub -p [port] -h localhost --cafile [ca.crt filepath] -t "hello" -m "hello world"
when I do it like this without key and certificate I get
Error: Success
but when I do it with key and certificate
mosquitto_pub -p [port] -h localhost --cafile [ca.crt filepath] --cert [client.crt path] --key [client1.key path] t "hello" -m "hello world"
I get
Error:Success
On the server side I See the following errors
... routines:SSL3_READ_BYTES: sslv3 alert certificate unknown
... routines:SSL3_READ_BYTES: ssl handshake failure
I ran openssl commands to verify CA approves of both generated certificates, and it did.
It turns out, when entering the detail of the certificate, i mistake the common name section's purpose. After I set it to the ip address of the server, it all worked well
I was getting the same error. I tried to subscribe like this:
mosquitto_sub -h ip_address -p 8883 -t topic --cafile /etc/mosquitto/ca_certificates/ca.crt -d.
Replace ip_addres with your ip address that you wrote when you created certificate. In your question, you wrote localhost. If you replace it with ip address it will be work.

m2mqtt with TLS connection in C#

I can connect to broker with mosquitto_sub I am using Mqtt and M2Mqtt in C#
mosquitto_sub -h {URL} -p {PORT} -t {topic} --psk {psk} --psk-identity {psk-identity} --tls-version tlsv1
I have no idea how to implement it with M2Mqtt in C#.
Do I need to generate certificate file by openssl?

How do I set up TLS on a mosquitto (MQTT) broker?

I got mosquitto working, using plain old TCP but i want to secure it using SSL and TLS, so i followed the following guide to create the certificates for my mosquitto broker:
https://mosquitto.org/man/mosquitto-tls-7.html
Then I added the following lines to the config file:
listener 8883
cafile /mqtt/certs/ca.crt
certfile /mqtt/certs/server.crt
keyfile /mqtt/certs/server.key
require_certificate false
But now when i try to use mosquitto_sub on another machine to try to connect to the mosquitto broker over port 8883 (TLS), i get the following error on the broker
New connection from XX.XXX.XXX.XXX on port 8883.
OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
Socket error on client <unknown>, disconnecting.
I've tried doing the mosquitto_sub the following ways:
$ mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883
$ mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt
$ mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt --cert client.crt --key client.key
And the certificates on the client side were generated based on the first link i mentioned earlier.
Anyone know why this is happening and how I can go about fixing it?
This is the good way to subscribe as you do not require client certificate :
mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt
It seems that the client fail to verify the server certificate.
You should make sure that :
ca.crt is the same on client and server side
the common name of your server certificate corresponds to its hostname
Also check if you have the same openssl version on server and client side as this error could also happen if client and server do not use a common protocol or do not share any cypher
hope it could help, else I will be interested to know how you solved this problem
Try --insecure option.
mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt --insecure