我们知道,MQTT mosquitto支持单项和双向的SSL认证,在上一节中,我们已经给大家分享了单向的SSL如何配置,在这一节中咱们来看一下双向的SSL认证的配置文件应该如何配置? 那么什么是双向的SSL认证呢?所谓的双向的SSL认证,打个通俗的比方就是,在进行SSL加密通信前,通信的双方(在咱们的例子中是mosquitto服务器端和MQTT客户端(消息的发送或者接收端))需要相互验证各自的证书是否合法。比如,是否是一个合法的CA颁发的等等。
在上一节提到,我们知道启动MQTT mosquitto的时候,可以通过下面的命令
mosquitto [-c config file] [ -d | --daemon ] [-p port number] [-v]
来指定启动的方式,其中,-c 后面跟的是启动mosquitto可以调整的参数,比如是否开启基本认证,端口是什么,SSL单向和双向的认证配置等等。
-d 表示MQTT mosquitto将在后台运行。
-p 代表当前的mosquitto服务实例启动以后,其监听端口号,这个配置的覆盖[-c config file] 指定的配置文件中的端口
-v 代码调试模式(verbose)可以输出更多的信息
假设我们自己已经通过OpenSSL生成了相关的CA证书,和服务器端自签名公钥和私钥,客户端的自签名公钥和私钥。其位置分布存储在:
(1) CA证书的位置
D:\mosquitto\certificates\ca.crt
(2) 服务器端的自签名的公钥的地址
D:\mosquitto\certificates\server.crt
(3) 服务器端的自签名的私钥的地址
D:\mosquitto\certificates\server.key
假设下面的配置存储在一个名为D:\mosquitto\twowayssl.conf的文本文件中,
# See also the mosquitto-tls man page. # At least one of cafile or capath must be defined. They both # define methods of accessing the PEM encoded Certificate # Authority certificates that have signed your server certificate # and that you wish to trust. # cafile defines the path to a file containing the CA certificates. # capath defines a directory that will be searched for files # containing the CA certificates. For capath to work correctly, the # certificate files must have ".crt" as the file ending and you must run # "c_rehash <path to capath>" each time you add/remove a certificate. cafile D:\mosquitto\certificates\ca.crt #capath # Path to the PEM encoded server certificate. certfile D:\mosquitto\certificates\server.crt # Path to the PEM encoded keyfile. keyfile D:\mosquitto\certificates\server.key # This option defines the version of the TLS protocol to use for this listener. # The default value will always be the highest version that is available for # the version of openssl that the broker was compiled against. For openssl >= # 1.0.1 the valid values are tlsv1.2 tlsv1.1 and tlsv1. For openssl < 1.0.1 the # valid values are tlsv1. tls_version tlsv1 # By default a TLS enabled listener will operate in a similar fashion to a # https enabled web server, in that the server has a certificate signed by a CA # and the client will verify that it is a trusted certificate. The overall aim # is encryption of the network traffic. By setting require_certificate to true, # the client must provide a valid certificate in order for the network # connection to proceed. This allows access to the broker to be controlled # outside of the mechanisms provided by MQTT. require_certificate true # If require_certificate is true, you may set use_identity_as_username to true # to use the CN value from the client certificate as a username. If this is # true, the password_file option will not be used for this listener. use_identity_as_username true
从上面可以看出,双向和单项认证的区别是,除了需要单向SSL认证需要的CA的证书,服务器端的公钥和私钥的证书之外,还需要开启下面的两个开关。</span>
# By default a TLS enabled listener will operate in a similar fashion to a # https enabled web server, in that the server has a certificate signed by a CA # and the client will verify that it is a trusted certificate. The overall aim # is encryption of the network traffic. By setting require_certificate to true, # the client must provide a valid certificate in order for the network # connection to proceed. This allows access to the broker to be controlled # outside of the mechanisms provided by MQTT. require_certificate true # If require_certificate is true, you may set use_identity_as_username to true # to use the CN value from the client certificate as a username. If this is # true, the password_file option will not be used for this listener. use_identity_as_username true
则可以通过下面的方式启动mosquitto服务器端的双向的SSL服务。