1 基础知识
1.1 前言
本章将借助第三方的脚本(generate-CA.sh)配置Mosquitto的TLS加密通讯,本章内容包括服务器端与客户端的证书创建以及引用。
1.2 TLS
1.2.1 TLS的介绍
– TLS,即英文Transport Layer Security的缩写,中文翻译为传输层安全协议
– TLS,用于防止两个应用程序通过网络进行数据交换时被窃听和篡改
– TLS,协议采用主从式架构模型(即C/S架构)
– TLS,由两层组成,TLS记录协议(TLS Record)和TLS握手协议(TLS Handshake)
– TLS,优势在于能与应用层协议(如HTTP、FTP、Telnet)无缝耦合
1.2.2 TLS的工作原理
– 客户端请求支持TLS协议的服务器创建安全连接并返回客户端支持的密码组合(加密密码算法和加密哈希函数),即握手开始
– 服务和从客户端提供的列表中选出可用的加密和散列函数,并通知客户端
– 客户端确认服务器颁发的证书是有效的
– 客户端使用服务器的公钥加密随机生成秘钥并发给服务器端(该私钥只能由服务器自己的私钥解密)
– 双方利用随机数生成用于加密和解密的对称秘钥,至此TLS握手结束
注:握手完毕直到连接被关闭的通讯都是安全的通讯连接
2 最佳实践
2.1 环境配置
2.1.1 环境信息
Server,
hostname = mosquitto.cmdschool.org
ip addresses = 10.168.0.91
OS = CentOS 7.6 x86_64
Cient,
hostname = client.cmdschool.org
ip addresses = 10.168.0.8
OS = CentOS 7.6 x86_64
2.1.2 部署服务器端
In Server,
本章假设你已经完成Mosquitto的配置,本章使用的范例是1.5.8版本,
https://www.cmdschool.org/archives/6833
如果需要1.6.3版本请参阅如下文章,
https://www.cmdschool.org/archives/6559
2.1.3 开放服务端口
In Server,
firewall-cmd --permanent --add-port=8883/tcp firewall-cmd --reload firewall-cmd --list-all
2.2 创建服务器端证书
In Server,
2.2.1 创建证书临时目录
mkdir ~/autoCA/
2.2.2 下载证书创建脚本
cd ~/autoCA/ wget https://github.com/owntracks/tools/raw/master/TLS/generate-CA.sh
你可使用如下命令查阅脚本的内容,
cat ~/autoCA/generate-CA.sh
脚本内容如下,
#!/usr/bin/env bash #(@)generate-CA.sh - Create CA key-pair and server key-pair signed by CA # Copyright (c) 2013-2016 Jan-Piet Mens # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: # # 1. Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # 3. Neither the name of mosquitto nor the names of its # contributors may be used to endorse or promote products derived from # this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # # Usage: # ./generate-CA.sh creates ca.crt and server.{key,crt} # ./generate-CA.sh hostname creates hostname.{key,crt} # ./generate-CA.sh client email creates email.{key,crt} # # Set the following optional environment variables before invocation # to add the specified IP addresses and/or hostnames to the subjAltName list # These contain white-space-separated values # # IPLIST="172.13.14.15 192.168.1.1" # HOSTLIST="a.example.com b.example.com" set -e export LANG=C kind=server if [ $# -ne 2 ]; then kind=server host=$(hostname -f) if [ -n "$1" ]; then host="$1" fi else kind=client CLIENT="$2" fi [ -z "$USER" ] && USER=root DIR=${TARGET:='.'} # A space-separated list of alternate hostnames (subjAltName) # may be empty "" ALTHOSTNAMES=${HOSTLIST} ALTADDRESSES=${IPLIST} CA_ORG='/O=OwnTracks.org/OU=generate-CA/emailAddress=nobody@example.net' CA_DN="/CN=An MQTT broker${CA_ORG}" CACERT=${DIR}/ca SERVER="${DIR}/${host}" SERVER_DN="/CN=${host}$CA_ORG" keybits=2048 openssl=$(which openssl) MOSQUITTOUSER=${MOSQUITTOUSER:=$USER} # Signature Algorithm. To find out which are supported by your # version of OpenSSL, run `openssl dgst -help` and set your # signature algorithm here. For example: # # defaultmd="-sha256" # defaultmd="-sha512" function maxdays() { nowyear=$(date +%Y) years=$(expr 2032 - $nowyear) days=$(expr $years '*' 365) echo $days } function getipaddresses() { /sbin/ifconfig | grep -v tunnel | sed -En '/inet6? /p' | sed -Ee 's/inet6? (addr:)?//' | awk '{print $1;}' | sed -e 's/[%/].*//' | egrep -v '(::1|127\.0\.0\.1)' # omit loopback to add it later } function addresslist() { ALIST="" for a in $(getipaddresses); do ALIST="${ALIST}IP:$a," done ALIST="${ALIST}IP:127.0.0.1,IP:::1," for ip in $(echo ${ALTADDRESSES}); do ALIST="${ALIST}IP:${ip}," done for h in $(echo ${ALTHOSTNAMES}); do ALIST="${ALIST}DNS:$h," done ALIST="${ALIST}DNS:localhost" echo $ALIST } days=$(maxdays) if [ -n "$CAKILLFILES" ]; then rm -f $CACERT.??? $SERVER.??? $CACERT.srl fi if [ ! -f $CACERT.crt ]; then # ____ _ # / ___| / \ # | | / _ \ # | |___ / ___ \ # \____/_/ \_\ # # Create un-encrypted (!) key $openssl req -newkey rsa:${keybits} -x509 -nodes $defaultmd -days $days -extensions v3_ca -keyout $CACERT.key -out $CACERT.crt -subj "${CA_DN}" echo "Created CA certificate in $CACERT.crt" $openssl x509 -in $CACERT.crt -nameopt multiline -subject -noout chmod 400 $CACERT.key chmod 444 $CACERT.crt chown $MOSQUITTOUSER $CACERT.* echo "Warning: the CA key is not encrypted; store it safely!" fi if [ $kind == 'server' ]; then # ____ # / ___| ___ _ ____ _____ _ __ # \___ \ / _ \ '__\ \ / / _ \ '__| # ___) | __/ | \ V / __/ | # |____/ \___|_| \_/ \___|_| # if [ ! -f $SERVER.key ]; then echo "--- Creating server key and signing request" $openssl genrsa -out $SERVER.key $keybits $openssl req -new $defaultmd \ -out $SERVER.csr \ -key $SERVER.key \ -subj "${SERVER_DN}" chmod 400 $SERVER.key chown $MOSQUITTOUSER $SERVER.key fi if [ -f $SERVER.csr -a ! -f $SERVER.crt ]; then # There's no way to pass subjAltName on the CLI so # create a cnf file and use that. CNF=`mktemp /tmp/cacnf.XXXXXXXX` || { echo "$0: can't create temp file" >&2; exit 1; } sed -e 's/^.*%%% //' > $CNF <&2; exit 1; } # Mosquitto's use_identity_as_username takes the CN attribute # so we're populating that with the client's name sed -e 's/^.*%%% //' > $CNF <&2; exit 1; } sed -e 's/^.*%%% //' > $CNF <<\!ENDClientconfig %%% [ JPMclientextensions ] %%% basicConstraints = critical,CA:false %%% subjectAltName = email:copy %%% nsCertType = client,email %%% extendedKeyUsage = clientAuth,emailProtection %%% keyUsage = digitalSignature, keyEncipherment, keyAgreement %%% nsComment = "Client Broker Certificate" %%% subjectKeyIdentifier = hash %%% authorityKeyIdentifier = keyid,issuer:always !ENDClientconfig SUBJALTNAME="$(addresslist)" export SUBJALTNAME # Use environment. Because I can. ;-) echo "--- Creating and signing client certificate" $openssl x509 -req $defaultmd \ -in $CLIENT.csr \ -CA $CACERT.crt \ -CAkey $CACERT.key \ -CAcreateserial \ -CAserial "${DIR}/ca.srl" \ -out $CLIENT.crt \ -days $days \ -extfile ${CNF} \ -extensions JPMclientextensions rm -f $CNF chmod 444 $CLIENT.crt fi fi
2.2.3 自定义证书脚本变量
cp ~/autoCA/generate-CA.sh ~/autoCA/generate-CA.sh.default vim ~/autoCA/generate-CA.sh
启用或修改如下参数,
IPLIST="10.168.0.91" HOSTLIST="mosquitto.cmdschool.org" CA_ORG='/O=cmdschool.org/OU=cmdschool/emailAddress=will@cmdschool.org' CA_DN="/CN=mosquitto.cmdschool.org${CA_ORG}"
注:
– 变量“IPLIST”与“HOSTLIST”应该尽量在正式代码前定义
– 变量“IPLIST”与“HOSTLIST”参数用于声明服务器的IP和域名
– 变量“IPLIST”与“HOSTLIST”需要声明多个参数时,请使用空格分隔
2.2.4 创建服务器端证书
cd ~/autoCA/ sh generate-CA.sh
运行脚本后,你可使用如下命令查看创建的证书,
ls -l ~/autoCA/
可见如下显示,
total 36 -r--r--r--. 1 root root 1326 Aug 9 19:35 ca.crt -r--------. 1 root root 1704 Aug 9 19:35 ca.key -rw-r--r--. 1 root root 17 Aug 9 19:35 ca.srl -rw-r--r--. 1 root root 8711 Aug 9 19:35 generate-CA.sh -r--r--r--. 1 root root 1887 Aug 9 19:35 mosquitto.cmdschool.org.crt -rw-r--r--. 1 root root 1021 Aug 9 19:35 mosquitto.cmdschool.org.csr -r--------. 1 root root 1679 Aug 9 19:35 mosquitto.cmdschool.org.key
证书创建后,我们建议你使用如下命令查看证书的信息,
openssl x509 -in ~/autoCA/ca.crt -nameopt multiline -subject -noout openssl x509 -in ~/autoCA/mosquitto.cmdschool.org.crt -nameopt multiline -subject -noout
可见如下输出,
subject= commonName = mosquitto.cmdschool.org organizationName = cmdschool.org organizationalUnitName = cmdschool emailAddress = will@cmdschool.org
2.3 配置服务器端证书
In Server,
2.3.1 部署服务器端证书
cd ~/autoCA/ mkdir -p /etc/mosquitto/ca_certificates/ mkdir -p /etc/mosquitto/certs/ cp ca.crt /etc/mosquitto/ca_certificates/ cp mosquitto.cmdschool.org.crt mosquitto.cmdschool.org.key /etc/mosquitto/certs/
证书部署完毕后,我建议你使用以下命令配置证书的安全权限,
chmod 600 /etc/mosquitto/certs/mosquitto.cmdschool.org.key chown mosquitto:root /etc/mosquitto/certs/mosquitto.cmdschool.org.key
2.3.2 引用服务器端证书
vim /etc/mosquitto/conf.d/tls.conf
加入如下配置,
listener 8883 cafile /etc/mosquitto/ca_certificates/ca.crt keyfile /etc/mosquitto/certs/mosquitto.cmdschool.org.key certfile /etc/mosquitto/certs/mosquitto.cmdschool.org.crt tls_version tlsv1.2
另外,如果要同时保留1883端口,请按如下配置书写,
port 1883 listener 8883 cafile /etc/mosquitto/ca_certificates/ca.crt keyfile /etc/mosquitto/certs/mosquitto.cmdschool.org.key certfile /etc/mosquitto/certs/mosquitto.cmdschool.org.crt tls_version tlsv1.2
需要注意的是,紧跟端口的配置一般只在声明的端口范围内生效,修改完配置后,你需要重启服务使配置生效,
systemctl restart mosquitto.service
重启完毕后,我们建议你检查服务状态,
systemctl status mosquitto.service
并且,查看加密端口的倾听状态,
netstat -antp | grep 8883
如果信息显示如下则正常,
tcp 0 0 0.0.0.0:8883 0.0.0.0:* LISTEN 8174/mosquitto tcp6 0 0 :::8883 :::* LISTEN 8174/mosquitto
2.4 服务端自测TLS证书
2.4.1 订阅主题
mosquitto_sub -t 'test/topic' -v --cafile ~/autoCA/ca.crt
注:以上命令启动后会一直倾听,请不要按【Ctrl+C】等键关闭
2.4.2 发布消息
mosquitto_pub -t 'test/topic' -m 'hello world' --cafile ~/autoCA/ca.crt
2.5 配置支持的密码算法
In Server,
2.5.1 列出openSSL的加密算法
openssl ciphers
可见如下输出,
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-IDEA-CBC-MD5:KRB5-DES-CBC3-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5
2.5.2 声明mosquitto支持的加密算法
vim /etc/mosquitto/conf.d/tls.conf
将上一条命令的输出用“ciphers”参数在配置文件内声明,
ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-IDEA-CBC-MD5:KRB5-DES-CBC3-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5
需要注意的是,以上不一定要全部套用,需要根据你的实际环境和要求决定,修改完配置后,你需要重启服务使配置生效,
systemctl restart mosquitto.service
2.5.3 使用订阅主题验证新配置
mosquitto_sub -t 'test/topic' -v --cafile ~/autoCA/ca.crt
2.5.4 使用发布消息验证新配置
mosquitto_pub -t 'test/topic' -m 'hello world' --cafile ~/autoCA/ca.crt
2.6 非本机测试
2.6.1 部署证书到客户端
In Server,
scp ~/autoCA/ca.crt 10.168.0.8:~
2.6.2 配置客户端的名称解析
In Client,
echo '10.168.0.91 mosquitto.cmdschool.org' >> /etc/hosts
注:以上设置仅适用于测试环境,生产环境中请使用DNS代替
2.6.3 向服务器订阅主题
In Client,
mosquitto_sub -t 'test/topic' -v --cafile ~/ca.crt -h mosquitto.cmdschool.org
2.6.4 向服务器发布消息
In Client,
mosquitto_pub -t 'test/topic' -m 'hello world' --cafile ~/ca.crt -h mosquitto.cmdschool.org
注:
– 参数“-h”指定服务器端的域名
– 以上工具请按服务器的安装方法自行编译安装
2.7 要求验证客户端的证书(可选)
2.7.1 增加服务器端证书参数
In Server,
echo 'require_certificate true' >> /etc/mosquitto/conf.d/tls.conf
修改完配置后,你需要重启服务使配置生效,
systemctl restart mosquitto.service
2.7.2 创建客户端证书
In Server,
cd ~/autoCA/ openssl genrsa -out client.key 2048 openssl req -new \ -key client.key \ -subj "/CN=client/O=cmdschool.org" \ -out client.csr openssl x509 -req \ -in client.csr \ -CA ca.crt \ -CAserial ca.srl \ -CAkey ca.key \ -days 3650 \ -addtrust clientAuth \ -out client.crt
注:参数“-addtrust”增加客户端认证成功的关键
2.7.3 部署证书到客户端
In Server,
scp ~/autoCA/ca.crt ~/autoCA/client.crt ~/autoCA/client.key 10.168.0.8:~
2.7.4 订阅主题
In Client,
mosquitto_sub -t 'test/topic' -v --cafile ~/ca.crt --cert ~/client.crt --key ~/client.key -h mosquitto.cmdschool.org
以上使用“–cert”与“–key”参数向服务器提交客户端证书,如果不使用以上参数,一般会有以下提示,
Error: A TLS error occurred.
2.7.5 发布消息
In Client,
mosquitto_pub -t 'test/topic' -m 'hello world' --cafile ~/ca.crt --cert ~/client.crt --key ~/client.key -h mosquitto.cmdschool.org
官方文档
====================
官方手册
———–
https://mosquitto.org/man/mosquitto-tls-7.html
https://mosquitto.org/man/mosquitto-conf-5.html
https://mosquitto.org/man/mosquitto_sub-1.html
https://mosquitto.org/man/mosquitto_pub-1.html
知识扩展
———–
https://baike.baidu.com/item/TLS/2979545?fr=aladdin
非官方的参考文章
————–
https://github.com/owntracks/tools/blob/master/TLS/generate-CA.sh
http://rockingdlabs.dunmire.org/exercises-experiments/ssl-client-certs-to-secure-mqtt
https://jpmens.net/2014/07/03/the-mosquitto-mqtt-broker-gets-websockets-support/
没有评论