在Ubuntu22.04系统上,基于mosquitto version 2.0.11,搭建mqtt+ssl/tls broker。

测试工具有MQTTX:跨平台 MQTT 5.0 桌面客户端工具以及mqtt_sub和mqtt_pub。

安装及配置

mosquitto和mosquitto_sub的安装

sudo apt install mosquitto mosquitto_clients
# 启动管理

## 查看状态
sudo systemctl status mosquitto.service
## 启动mosquitto
sudo systemctl start mosquitto.service
## 关闭mosquitto
sudo systemctl stop mosquitto.service
## 重启mosquitto
sudo systemctl restart mosquitto.service

## 禁止开机启动mosquitto
sudo systemctl disable mosquitto.service
## 启用开机启动mosquitto
sudo systemctl enable mosquitto.service

mosquitto配置

可以使用man mosquitto.conf查看配置参数信息,官网文档Documentation | Eclipse Mosquitto

mosquitto支持配置多种不同方式的监听方式,下面配置了基于MQTT+账密和MQTT+TLS两种方式。

下面是已经配置好的mosquit的目录结构:

mosquitto/
├── aclfile.example
├── ca_certificates
│   ├── full.crt
│   └── README
├── certs
│   ├── README
│   ├── server.crt
│   └── server.key
├── conf.d
│   ├── README
│   ├── tcp.conf
│   └── tls.conf
├── mosquitto.conf
├── password_file
├── pskfile.example
└── pwfile.example

从目录结构和README中可以看出,所有用户自定义配置文件都放置在/etc/mosquitto/conf.d目录中。

$ cat /etc/mosquitto/conf.d/README 
Any files placed in this directory that have a .conf ending will be loaded as
config files by the broker. Use this to make your local config.

TLS配置

查看针对TLS的配置文件/etc/mosquitto/conf.d/tls.conf的内容如下:

$ cat /etc/mosquitto/conf.d/tls.conf 
listener 8883
allow_anonymous true

cafile /etc/mosquitto/ca_certificates/full.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key

require_certificate true
tls_version tlsv1.2
use_identity_as_username false
use_subject_as_username false

此处使用的证书是由 OpenSSL生成RSA证书链文档中生成。

其中的参数意义如下:

参数含义
listenerListen for incoming network connection on the specified port. A second optional argument allows the listener to be bound to a specific ip address/hostname.
allow_anonymousBoolean value that determines whether clients that connect without providing a username are allowed to connect. 此处设置为true的原因是已经使用双向证书进行验证
cafilecafile is used to define the path to a file containing the PEM encoded CA certificates that are trusted when checking incoming client certificates.用以校验客户端证书
certfilePath to the PEM encoded server certificate.
keyfilePath to the PEM encoded server key.
require_certificateBy setting require_certificate to true, a client connecting to this listener must provide a valid certificate in order for the network connection to proceed. 决定是否需要客户端证书,以书双向认证
tls_versionConfigure the minimum version of the TLS protocol to be used for this listener. Possible values are tlsv1.3, tlsv1.2 and tlsv1.1.
use_subject_as_usenameIf require_certificate is true, you may set use_subject_as_username to true to use the complete subject value from the client certificate as a username. If this is true, the password_file option will not be used for this listener.
use_identity_as_usernameSet use_identity_as_username to have the psk identity sent by the client used as its username.

配置完成后重启mosquitto即可。

MQTT+账密

密码配置官网文档Authentication methods | Eclipse Mosquitto

配置密码命令如下:

# 创建密码文件,并添加用户。如果密码文件已存在,则覆盖。
mosquitto_passwd -c <password file> <username>
# 在密码文件中添加用户
mosquitto_passwd <password file> <username>
# 从密码文件中删除用户
mosquitto_passwd -D <password file> <username>
# 添加或更新密码
mosquitto_passwd <password file> <username> <password>

将密码文件配置给mosquitto broker,其配置方式如下:

$ cat tcp.conf 
listener 1883
password_file /etc/mosquitto/password_file

配置完成之后重启即可生效。

MQTTX连接配置

MQTT+TLS连接

MQTT连接

mosquitto客户端使用

mosquitto_pub -h localhost -p 1883 -u admin -P public -t test -m "Hello,world1"

mosquitto_sub -h localhost -p 8883 --cafile ~/ca/client/full.crt --key ~/ca/client/client.key --cert ~/ca/client/client.crt -t "test" -i "client" -d

mosquitto_sub的参数说明如下:

mosquitto_sub参数说明
–cafile根证书
–key客户端私钥
–cert客户端证书
–insecure不检查服务端证书的CN和host是否匹配,和上面的MQTTX的一致
–tls-versiontls版本,可选值tlsv1.1 tlsv1.2 tlsv1.3
-hhost
-pport
-ttopic
-iclient id
-ddebug
-V指定MQTT版本,可选mqttv5 mqttv31 mqtt311
–help用法说明