As a security protocol based on the public key algorithm of modern cryptography, TLS/SSL can ensure the transmission security in computer communication network. EMQ X has built-in support for TLS/SSL, including single/bidirectional authentication, X.509 certificate, load balancing SSL and other security authentication. You can enable SSL/TLS for all protocols supported by EMQ X, or you can configure the HTTP API provided by EMQ X to use TLS. This article shows how to enable TLS for MQTT in EMQ X.
Security advantages of SSL/TLS
-
Strong authentication. When establishing a connection using TLS, the communication parties can check each other’s identity. In practice, a common way to check identity is to check the x.509 digital certificates held by the other party. Such digital certificates are usually issued by a trusted authority and cannot be forged.
-
Guarantee confidentiality. Each session of TLS communication is encrypted by the session key, which is negotiated by the communication parties. No third party has access to the communications. Even if the key of one session is leaked, the security of other sessions is not affected.
-
Integrity. Data in encrypted communications can be difficult to tamper with without detection.
SSL/TLS
The communication process under TLS/SSL is divided into two parts. The first part is the handshake protocol. The purpose of the handshake protocol is to identify the other party and establish a secure communication channel. After the handshake is complete, the two parties negotiate the password suite and session key to be used next. The second part is record protocol, Record and other data transmission protocol is very similar, will carry content type, version, length and load and other information, the difference is that it carries information is encrypted.
The following figure describes the TLS/SSL handshake process, from “Hello” on the client to “Finished” on the server. Interested students can look for more detailed information. Not knowing this process did not prevent us from enabling this feature in EMQ X.
The SSL/TLS certificate is available
In general, we will need digital certificates to ensure strong authentication of TLS communications. The use of digital certificates is itself a tripartite agreement. In addition to the communication parties, there is a trusted third party, sometimes a CA, that issues the certificate. Communication with CA is usually done in the form of pre-issued certificates. To start TLS communication, we need to have at least two certificates, one CA certificate and one EMQ X certificate. EMQ X certificate is issued by the CA and verified by the CA certificate.
To obtain a truly trusted certificate, you need to purchase it from a certificate service provider. In a lab environment, we can also simulate this process with self-generated certificates. Here we illustrate the PROCESS of enabling SSL/TLS for EMQ X server in these two ways.
Note: in the configuration of purchase certificate and self-signed certificate, readers only need to choose one to test according to their own situation.
Certificate of purchase
Self-signed certificates are not required if there is a purchase certificate.
To facilitate EMQ X configuration, rename the purchased certificate file to emqx. CRT and the certificate key to emqx.key.
Self-signed certificate
Here, we assume that OpenSSL is already installed on your system. Use the toolset that comes with OpenSSL to generate the certificates we need.
First, we need a self-signed CA certificate. Generating the certificate requires a private key to sign it. To generate the private key, run the following command:
openssl genrsa -out my_root_ca.key 2048
Copy the code
This command will generate a key of 2048 length and store it in my_root_ca.key. With this key, you can use it to generate the root certificate of EMQ X:
openssl req -x509 -new -nodes -key my_root_ca.key -sha256 -days 3650 -out my_root_ca.pem
Copy the code
The root certificate is the starting point of the entire trust chain. If the issuer of a certificate at every level up to the root certificate is trusted, then we can consider the certificate to be trusted. With this root certificate, we can use it to issue entity certificates to other entities.
The entity (in this case, EMQ X) also needs a private key pair of its own to ensure control over its own certificate. The process for generating this key is similar to the one above:
openssl genrsa -out emqx.key 2048
Copy the code
Create a new openssl.cnf file,
- Req_distinguished_name: Modifies as needed,
- Alt_names:
BROKER_ADDRESS
Change to the actual IP or DNS address of the EMQ X server, for example: IP.1 = 127.0.0.1, or dnS. 1 = broker.xxx.com
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = CN
stateOrProvinceName = Zhejiang
localityName = Hangzhou
organizationName = EMQX
commonName = Server certificate
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = BROKER_ADDRESS
DNS.1 = BROKER_ADDRESS
Copy the code
Then issue a certificate request with this key and configuration:
openssl req -new -key ./emqx.key -config openssl.cnf -out emqx.csr
Copy the code
Then issue the entity certificate of EMQ X with the root certificate:
openssl x509 -req -in ./emqx.csr -CA my_root_ca.pem -CAkey my_root_ca.key -CAcreateserial -out emqx.pem -days 3650 -sha256 -extensions v3_req -extfile openssl.cnf
Copy the code
With the certificate in place, we can enable TLS/SSL for EMQ X.
Enable and verify SSL/TLS
In EMQ Xmqtt:ssl
The default listening port of the
Purchasing a Certificate
EMQ X configuration
Copy the emqx.key and emqx. CRT files that have been renamed to the etc/certs/ directory of EMQ X and modify the emqx.conf file as follows:
## listener.ssl.$name is the IP address and port that the MQTT/SSL
## Value: IP:Port | Port
listener.ssl.external = 8883
## Path to the file containing the user's private PEM-encoded key.
## Value: File
listener.ssl.external.keyfile = etc/certs/emqx.key
## Path to a file containing the user certificate.
## Value: File
listener.ssl.external.certfile = etc/certs/emqx.crt
Copy the code
MQTT connection test
After configuring EMQ X and restarting EMQ X, we use MQTT client tool – MQTT X (which is cross-platform and supports MQTT 5.0) to verify that the TLS service is working properly.
MQTT X version: V1.3.2 or later
- Create it in MQTT X as shown below
The MQTT client
(Host input boxmqttx.app
Use the actual domain name instead.
Note: Simply select CA Signed Server in the Certificate field. You do not need to carry any Certificate file (CA file is not required) for one-way authentication connection using purchase Certificate.
- Click on the
Connect
Button, if the MQTT publish/subscribe operation can be performed normally after the connection is successful, the CONFIGURATION of SSL one-way authentication for purchasing certificates is successful.
Self-signed certificate mode
EMQ X configuration
Pem, emqx.key, and my_root_ca.pem files generated using the OpenSSL tool in the preceding steps are copied to the etc/certs/ directory of EMQ X and modified by referring to the following configuration:
## listener.ssl.$name is the IP address and port that the MQTT/SSL
## Value: IP:Port | Port
listener.ssl.external = 8883
## Path to the file containing the user's private PEM-encoded key.
## Value: File
listener.ssl.external.keyfile = etc/certs/emqx.key
## Path to a file containing the user certificate.
## Value: File
listener.ssl.external.certfile = etc/certs/emqx.pem
## Path to the file containing PEM-encoded CA certificates. The CA certificates
## Value: File
listener.ssl.external.cacertfile = etc/certs/my_root_ca.pem
Copy the code
MQTT connection test
After configuring EMQ X and restarting EMQ X, we use MQTT client tool – MQTT X (which is cross-platform and supports MQTT 5.0) to verify that the TLS service is working properly.
MQTT X version: V1.3.2 or later
- Create it in MQTT X as shown below
The MQTT client
(Host input box127.0.0.1
Replace it with the actual EMQ X server IP address.
Select Self signed in the Certificate field and carry the my_root_ca.pem file generated in the self-signed Certificate.
- Click on the
Connect
Button, if the MQTT publish/subscribe operation can be executed normally after the connection is successful, the CONFIGURATION of SSL one-way authentication for the self-signed certificate is successful.
EMQ X Dashboard authentication
Finally, open the EMQ X Dashboard on the Listeners page and you can see an MQTT: SSL connection on port 8883.
So far, we have successfully completed the SSL/TLS configuration and one-way authentication connection test of EMQ X server. EMQ X SSL/TLS bidirectional authentication configuration documents please refer to our subsequent articles.
Copyright: EMQ
Original link: www.emqx.io/cn/blog/emq…