EG254S: IoT System Project - IoT Security IoT Security

Activating TSL/SSL in Mosquitto

 (Adapted from: http://www.steves-internet-guide.com/mosquitto-tls)

To activate TLS/SSL option in Mosquitto, we need to modify the configuration file of Mosquitto and edit the TLS items in that contents.

There are standard ports for MQTT to use. TCP/IP port 1883 is reserved with IANA for use with MQTT. TCP/IP port 8883 is also registered, for using MQTT over SSL.

Modify Mosquitto Configuration file

After Step 7 of Configuring TLS/SSL on the Mosquitto Broker, we should already have the files ca.crt in ca_certificates folder and both server.crt and server.key in the certs folder.

On Raspberry Pi, open the terminal and enter the following command:

pi@raspberrypi:~ $ sudo nano /etc/mosquitto/mosquitto.conf

Locate the line with ‘port 1883’ and add an extra listener:

# =================================================================

# Default listener

# =================================================================

 

# IP address/hostname to bind the default listener to. If not

# given, the default listener will not be bound to a specific

# address and so will be accessible to all network interfaces.

# bind_address ip-address/host name

#bind_address

 

# Port to use for the default listener.

port 1883

listener 8883

Add the following lines to define the paths for ca.crt, server.key and server.crt, and TLS version:

# -----------------------------------------------------------------

# Certificate based SSL/TLS support

# -----------------------------------------------------------------

# The following options can be used to enable SSL/TLS support for

# this listener. Note that the recommended port for MQTT over TLS

# is 8883, but this must be set manually.

#

# See also the mosquitto-tls man page.

 

# At least one of cafile or capath must be defined. They both

# define methods of accessing the PEM encoded Certificate

# Authority certificates that have signed your server certificate

# and that you wish to trust.

# cafile defines the path to a file containing the CA certificates.

# capath defines a directory that will be searched for files

# containing the CA certificates. For capath to work correctly, the

# certificate files must have ".crt" as the file ending and you must run

# "c_rehash <path to capath>" each time you add/remove a certificate.

cafile /etc/mosquitto/ca_cetificates/ca.crt

#capath

 

# Path to the PEM encoded server certificate.

certfile /etc/mosquitto/certs/server.crt

 

# Path to the PEM encoded keyfile.

keyfile /etc/mosquitto/certs/server.key

 

# This option defines the version of the TLS protocol to use for this listener.

# The default value allows v1.2, v1.1 and v1.0, if they are all supported by

# the version of openssl that the broker was compiled against. For openssl >=

# 1.0.1 the valid values are tlsv1.2 tlsv1.1 and tlsv1. For openssl < 1.0.1 the

# valid values are tlsv1.

tls_version tlsv1

Save the mosquito.conf file. Hold Ctrl + X, type Y to save changes.

Note: I’ve added an extra listener but you could use the default listener by changing the port 1883 to 8883.

Restart the Mosquitto.