Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to enable TLS for MQTT in EMQ X". The explanation in the article is simple and clear, easy to learn and understand. Please follow the editor's train of thought to study and learn "how to enable TLS for MQTT in EMQ X".

As a security protocol based on modern cryptographic public key algorithms, TLS/SSL can ensure the security of transmission on the computer communication network. EMQ X has built-in support for TLS/SSL, including single / two-way authentication, X.509 certificate, load balancing SSL and other security authentication. You can enable SSL/TLS for all protocols supported by EMQ X, or you can configure HTTP API provided by EMQ X to use TLS.

Security benefits brought by SSL/TLS

Strong certification. When establishing a connection with TLS, both sides of the communication can check each other's identity. In practice, a common way of identity checking is to check the X.509 digital certificate held by the other party. Such digital certificates are usually issued by a trusted institution and cannot be forged.

Keep it confidential. Each session of TLS communication is encrypted by the session key, and the session key is generated by negotiation between the two parties. No third party can know the content of the communication. Even if the key of one session is compromised, it does not affect the security of other sessions.

Integrity. It is difficult to tamper with the data in encrypted communications without being detected.

SSL/TLS protocol

The communication process under TLS/SSL protocol is divided into two parts. The first part is the handshake protocol. The purpose of the handshake protocol is to identify the other party and establish a secure communication channel. After the handshake is completed, the two sides will negotiate the cipher suite and session key to be used next; the second part is the record protocol, record and other data transfer protocols are very similar, carrying information such as content type, version, length and load, except that the information it carries is encrypted.

The following picture describes the process of the TLS/SSL handshake protocol, from "hello" on the client to "finished" on the server to complete the handshake. Students who are interested can look for more detailed information. Not knowing about this process does not prevent us from enabling this feature in EMQ X.

SSL/TLS certificate preparation

Generally speaking, we will need digital certificates to ensure strong authentication of TLS communications. The use of digital certificate itself is a three-party agreement, in addition to the communication parties, there is a trusted third party that issues the certificate, and sometimes the trusted third party is a CA. Communication with CA is generally carried out by issuing certificates in advance. That is, at the beginning of TLS communication, we need at least 2 certificates, one for CA, one for EMQ X, and the certificate for EMQ X is issued by CA and verified with the certificate of CA.

To obtain a certificate that is truly trusted by the outside world, you need to buy it from a certificate service provider. In the laboratory environment, we can also use our own generated certificates to simulate this process. Let's explain the SSL/TLS enabling process of the EMQ X server in these two ways.

Note: for the configuration of purchasing certificates and self-signed certificates, readers only need to choose one of them to test according to their own situation.

Purchase certificate

If you have a purchase certificate, you don't need a self-signed certificate.

To facilitate EMQ X configuration, rename the purchased certificate file to emqx.crt and the certificate key to emqx.key.

Self-signed certificate

Here, we assume that your system already has OpenSSL installed. Using the toolset that comes with OpenSSL, we can generate the certificates we need.

First, we need a self-signed CA certificate. To generate this certificate, you need a private key to sign it. You can execute the following command to generate the private key:

Openssl genrsa-out my_root_ca.key 2048

This command will generate a key with a key length of 2048 and save it in my_root_ca.key. With this key, you can use it to generate the root certificate of EMQ X.

Openssl req-x509-new-nodes-key my_root_ca.key-sha256-days 3650-out my_root_ca.pem

The root certificate is the starting point of the whole trust chain. If each level of the issuer of a certificate is trusted all the way up to the root certificate, we can think that the certificate is also trusted. With this root certificate, we can use it to issue entity certificates to other entities.

The entity (in this case, EMQ X) also needs its own private key pair to guarantee its control over its own certificate. The process for generating this key is similar to the above:

Openssl genrsa-out emqx.key 2048

Create a new openssl.cnf file

Req_distinguished_name: modify according to the situation

Alt_names: BROKER_ADDRESS is modified to the actual IP or DNS address of the EMQ X server, for example: IP.1 = 127.0.0.1, or DNS.1 = broker.xxx.com

[req] default_bits = 2048distinguished_name = req_distinguished_namereq_extensions = req_extx509_extensions = v3_reqprompt = no [req _ distinguished_name] countryName = CNstateOrProvinceName = ZhejianglocalityName = HangzhouorganizationName = EMQXcommonName = Server certificate [req _ ext] subjectAltName = @ alt_ namespace [v3 _ req] subjectAltName = @ alt_ namespace [alt _ names] IP.1 = BROKER_ADDRESSDNS.1 = BROKER_ADDRESS

Then issue a certificate request with this key and configuration:

Openssl req-new-key. / emqx.key-config openssl.cnf-out emqx.csr

Then issue the entity certificate of EMQ X with the root certificate:

Openssl x509-req-in. / emqx.csr-CA my_root_ca.pem-CAkey my_root_ca.key-CAcreateserial-out emqx.pem-days 3650-sha256-extensions v3_req-extfile openssl.cnf

Once the certificate is ready, we can enable the TLS/SSL feature of EMQ X.

SSL/TLS enable and verify

The default listening port for mqtt:ssl in EMQ X is 8883.

Purchase certificate EMQ X configuration

Copy the renamed emqx.key file and emqx.crt file to the etc/certs/ directory of EMQ X, and modify emqx.conf by referring to the following configuration:

# # listener.ssl.$name is the IP address and port that the MQTT/SSL## Value: IP:Port | Portlistener.ssl.external = 8883 connections # Path to the file containing the user's private PEM-encoded key.## Value: Filelistener.ssl.external.keyfile = etc/certs/emqx.key## Path to a file containing the user certificate.## Value: Filelistener.ssl.external.certfile = etc/certs/emqx.crtMQTT connection test

When the configuration is complete and EMQ X is restarted, we use the MQTT client tool, MQTT X, which is cross-platform and supports MQTT 5.0, to verify that the TLS service is functioning properly.

MQTT X version requirements: v1.3.2 and above

Refer to the following figure to create a MQTT client in MQTT X (the mqttx.app in the Host input box needs to be replaced with the actual domain name)

Note: you only need to select CA signed server in the Certificate column. You do not need to carry any certificate files (CA files) when using the purchase certificate to make an one-way authentication connection.

Click the Connect button. After the connection is successful, if the MQTT publish / subscribe operation can be performed normally, the SSL one-way authentication configuration for purchasing the certificate is successful.

Self-signed certificate EMQ X configuration

Copy the emqx.pem, emqx.key, and my_root_ca.pem files generated by the OpenSSL tool to the etc/certs/ directory of EMQ X, and modify the emqx.conf with reference to the following configuration:

# # listener.ssl.$name is the IP address and port that the MQTT/SSL## Value: IP:Port | Portlistener.ssl.external = 8883 Filelistener.ssl.external.certfile # Path to the file containing the user's private PEM-encoded key.## Value: Filelistener.ssl.external.keyfile = etc/certs/emqx.key## Path to a file containing the user certificate.## Value: Filelistener.ssl.external.certfile = etc/certs/emqx.pem## Path to the file containing PEM-encoded CA certificates. The CA certificates## Value: Filelistener.ssl.external.cacertfile = etc/certs/my_root_ca.pemMQTT connection test

When the configuration is complete and EMQ X is restarted, we use the MQTT client tool, MQTT X, which is cross-platform and supports MQTT 5.0, to verify that the TLS service is functioning properly.

MQTT X version requirements: v1.3.2 and above

Create a MQTT client in MQTT X according to the figure below (127.0.0.1 in the Host input box needs to be replaced with the actual EMQ X server IP)

In this case, you need to select Self signed in the Certificate column and bring along the my_root_ca.pem file generated in the self-signed certificate.

Click the Connect button. After the connection is successful, if the MQTT publish / subscribe operation can be performed normally, the SSL one-way authentication configuration of the self-signed certificate is successful.

EMQ X Dashboard verification

Finally, open the Dashboard of EMQ X and you can see that there is a mqtt:ssl connection on port 8883 on the Listeners page.

Thank you for your reading, the above is the content of "how to enable TLS for MQTT in EMQ X". After the study of this article, I believe you have a deeper understanding of how to enable TLS for MQTT in EMQ X. the specific use also needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.