Shulou(Shulou.com)06/01 Report--

This article focuses on "how to enable two-way SSL/TLS secure connection for MQTT in EMQ X". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to enable two-way SSL/TLS secure connection for MQTT in EMQ X.

As a security protocol based on modern cryptographic public key algorithms, TLS/SSL can ensure the security of transmission on the computer communication network. EMQ X has built-in support for TLS/SSL, including single / two-way authentication, X.509 certificate, load balancing SSL and other security authentication. You can enable SSL/TLS for all protocols supported by EMQ X, or you can configure HTTP API provided by EMQ X to use TLS.

Security benefits brought by SSL/TLS

Strong certification. When establishing a connection with TLS, both sides of the communication can check each other's identity. In practice, a common way of identity checking is to check the X.509 digital certificate held by the other party. Such digital certificates are usually issued by a trusted institution and cannot be forged.

Keep it confidential. Each session of TLS communication is encrypted by the session key, and the session key is generated by negotiation between the two parties. No third party can know the content of the communication. Even if the key of one session is compromised, it does not affect the security of other sessions.

Integrity. It is difficult to tamper with the data in encrypted communications without being detected.

SSL/TLS protocol

The communication process under TLS/SSL protocol is divided into two parts. The first part is the handshake protocol. The purpose of the handshake protocol is to identify the other party and establish a secure communication channel. After the handshake is completed, the two sides will negotiate the cipher suite and session key to be used next; the second part is the record protocol, record and other data transfer protocols are very similar, carrying information such as content type, version, length and load, except that the information it carries is encrypted.

The following picture describes the process of the TLS/SSL handshake protocol, from "hello" on the client to "finished" on the server to complete the handshake. Students who are interested can look for more detailed information. Not knowing about this process does not prevent us from enabling this feature in EMQ X.

Why do you need SSL/TLS two-way authentication

Two-way authentication means that both the server and the client need a certificate when carrying out communication authentication, and both parties should carry out identity authentication to ensure that both parties involved in the communication are trusted. Both parties share their public certificate with each other, and then perform verification and confirmation based on the certificate. For some application scenarios that require high security, you need to enable two-way SSL/TLS authentication.

SSL/TLS certificate preparation

In two-way authentication, self-signed certificates are generally used to generate server-side and client-side certificates, so this paper takes self-signed certificates as an example.

Generally speaking, we need digital certificates to ensure strong authentication of TLS communications. The use of digital certificate itself is a three-party agreement, in addition to the communication parties, there is a trusted third party that issues the certificate, and sometimes the trusted third party is a CA. Communication with CA is generally carried out by issuing certificates in advance. That is, at the beginning of TLS communication, we need at least 2 certificates, one for CA, one for EMQ X, and the certificate for EMQ X is issued by CA and verified with the certificate of CA.

Here, we assume that your system already has OpenSSL installed. Using the toolset that comes with OpenSSL, we can generate the certificates we need.

Generate a self-signed CA certificate

First, we need a self-signed CA certificate. To generate this certificate, you need a private key to sign it. You can execute the following command to generate the private key:

Openssl genrsa-out my_root_ca.key 2048

This command will generate a key with a key length of 2048 and save it in my_root_ca.key. With this key, you can use it to generate the root certificate of EMQ X.

Openssl req-x509-new-nodes-key my_root_ca.key-sha256-days 3650-out my_root_ca.pem

The root certificate is the starting point of the whole trust chain. If each level of the issuer of a certificate is trusted all the way up to the root certificate, we can think that the certificate is also trusted. With this root certificate, we can use it to issue entity certificates to other entities.

Generate server certificate

The entity (in this case, EMQ X) also needs its own private key pair to guarantee its control over its own certificate. The process for generating this key is similar to the above:

Openssl genrsa-out emqx.key 2048

Create a new openssl.cnf file

Req_distinguished_name: modify according to the situation

Alt_names: BROKER_ADDRESS is modified to the actual IP or DNS address of the EMQ X server, for example: IP.1 = 127.0.0.1, or DNS.1 = broker.xxx.com

Note: keep both IP and DNS. If you have purchased a domain name, just keep DNS and change it to the address of the domain name you are using.

[req] default_bits = 2048distinguished_name = req_distinguished_namereq_extensions = req_extx509_extensions = v3_reqprompt = no [req _ distinguished_name] countryName = CNstateOrProvinceName = ZhejianglocalityName = HangzhouorganizationName = EMQXcommonName = CA [req _ ext] subjectAltName = @ alt_ namespace [v3 _ req] subjectAltName = @ alt_ namesalt [names] IP.1 = BROKER_ADDRESSDNS.1 = BROKER_ADDRESS

Then issue a certificate request with this key and configuration:

Openssl req-new-key. / emqx.key-config openssl.cnf-out emqx.csr

Then issue the entity certificate of EMQ X with the root certificate:

Openssl x509-req-in. / emqx.csr-CA my_root_ca.pem-CAkey my_root_ca.key-CAcreateserial-out emqx.pem-days 3650-sha256-extensions v3_req-extfile openssl.cnf generate client certificate

Two-way connection authentication also needs to create a client certificate. First, you need to create a client key:

Openssl genrsa-out client.key 2048

Use the generated client key to create a client request file:

Openssl req-new-key client.key-out client.csr-subj "/ C=CN/ST=Zhejiang/L=Hangzhou/O=EMQX/CN=client"

Finally, use the previously generated server CA certificate to sign the client to generate a client certificate:

Openssl x509-req-days 3650-in client.csr-CA my_root_ca.pem-CAkey my_root_ca.key-CAcreateserial-out client.pem

Once the server and client certificates are ready, we can enable TLS/SSL two-way authentication in EMQ X.

Enable and verify the two-way connection of SSL/TLS

The default listening port for mqtt:ssl in EMQ X is 8883.

EMQ X configuration

Copy the emqx.pem, emqx.key, and my_root_ca.pem files generated by the OpenSSL tool to the etc/certs/ directory of EMQ X, and modify the emqx.conf with reference to the following configuration:

# # listener.ssl.$name is the IP address and port that the MQTT/SSL## Value: IP:Port | Portlistener.ssl.external = 8883 Filelistener.ssl.external.certfile # Path to the file containing the user's private PEM-encoded key.## Value: Filelistener.ssl.external.keyfile = etc/certs/emqx.key## Path to a file containing the user certificate.## Value: Filelistener.ssl.external.certfile = etc/certs/emqx.pem## Path to the file containing PEM-encoded CA certificates. The CA certificates## Value: Filelistener.ssl.external.cacertfile = etc/certs/my_root_ca.pem## A server only does x509-path validation in mode verify_peer,## as it then sends a certificate request to the client (this## message is not sent if the verify option is verify_none). # Value: verify_peer | verify_nonelistener.ssl.external.verify = verify_peerMQTT connection test

When the configuration is complete and EMQ X is restarted, we use the MQTT client tool-MQTT X (which is cross-platform and supports MQTT 5.0) to verify that the TLS two-way authentication service is functioning properly.

MQTT X version requirements: v1.3.2 and above

Create a MQTT client in MQTT X according to the figure below (127.0.0.1 in the Host input box needs to be replaced with the actual EMQ X server IP)

In this case, you need to select Self signed in the Certificate column, and bring along the my_root_ca.pem file generated in the self-signed certificate, the client certificate client.pem and the client key client.key file.

Click the Connect button. After the connection is successful, if the MQTT publish / subscribe operation can be performed normally, the SSL two-way connection authentication configuration is successful.

EMQ X Dashboard verification

Finally, open the Dashboard of EMQ X and you can see that there is a mqtt:ssl connection on port 8883 on the Listeners page.

So far, we have successfully completed the SSL/TLS configuration and two-way authentication connection test of the EMQ X server.

At this point, I believe you have a better understanding of "how to enable two-way SSL/TLS secure connection for MQTT in EMQ X". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.