Transport Layer Security (TLS) is a security protocol that uses symmetric encryption to protect data. In this tutorial, client-server communication will be configured using the TLS protocol so that data can be securely exchanged between them. The Mosquitto broker is used to provide TLS security. Mosquitto broker uses port 8883 as an encrypted transmission port to securely exchange data between clients.
To learn more about IoT standards and protocols, check out the following tutorial –
IoT standards and protocols
Learn more about transport layer protocols in the following tutorial –
Transport Layer Protocols
Fig. 1: Image showing secure client-server communication over TLS protocol using Mosquitto Broker
Required software –
• Platform – Linux
• Mosquitto corrector installed
• MQTT spy client or Linux Terminal.
TLS protocol –
The TLS protocol offers the following features –
1) Data encryption – Data is end-to-end encrypted so that other than the two parties exchanging the information, no one can understand it.
2) Data Integrity – Encrypted data cannot be manipulated by anyone.
3) Authentication – A party can send data to another party only when it has authenticity to send data to that party.
In TLS security, the Client or Broker uses public key to encrypt messages, private key to decrypt messages and certificate to sign the message. To enable TLS security, a client requires the following –
1) Client certificate certified by CA (certification authority)
2) Customer private key for decryption
3) CA certificate that signed the server certificate.
To enable TLS security, the server requires the following –
1) CA certified server certificate
2) Server private key for decryption
3) CA certificate that signed the client certificate.
openssl is used to create one's own certification authority (CA), client keys, server keys, and certificates. openssl can be installed by the following commands –
Fig. 2: Screenshot of the command to install Openssl
Then create a folder (any name) in your home directory and go to that directory via terminal. Now follow the steps below to generate the keys and certificates.
1) Create the CA public and private key pair by running the following command in the terminal –
Fig. 3: Screenshot of the command to create CA public and private key pairs
In the above command –
genrsa: Generates an RSA private key
-des3: We will use the DES3 cipher to generate the key (password)
size_of_private_key_in_bits is 2048
-out: specifies the file name for the key (.key)
This command will generate a CA private key file. It will ask to save the user-defined password. This password will be used later when the CA certificate is signed with this private key.
2) Create a CA certificate using the CA key by running the following command –
Fig. 4: Screenshot of the command to create CA certificate
In the above command,
req: is a certificate request
-new: generates a new certificate and will prompt the user for several input fields.
-x509: creates a self-signed certificate.
-days: specifies the number of days that the certificate is valid.
-key: is the key file with the private key to be used for signing
-out: specifies the name of the certificate file (.crt)
3) Now create the server key pair by running the following command –
Fig. 5: Screenshot of the command to create server key pair
opensslgenrsa -out mosquitto_server.keysize of the private key in bits.
It is not password protected here. In the above command,
genrsa: generates an RSA private key
-out: specifies the file name for the key (.key)
size_of_private_key_in_bits is 2048
4) Now create a certificate request for the server using the server's private key by running the following command –
Fig. 6: Screenshot of the command to create a server certificate request
In the above command –
req: is a certificate request
-new: generates a new certificate and will prompt the user for several input fields.
-key: is the key file with the private key to be used for signing
-out: specifies the name of the certificate file (.csr)
5) Then use the CA certificate to sign the broker certificate request by running the following command –
Fig. 7: Screenshot of the command to sign the broker certificate
In the above command,
x509: Creates a self-signed certificate.
-req: certificate request
-in: is the certificate input file
-CA: specifies the file to be signed
-CAkey: is the CA's private key to sign the certificate
-CAcreateserial: is the serial number file that is created if it does not exist
-out: specifies the name of the certificate file (.crt)
-days: specifies the number of days that the certificate is valid.
6) For client, the same procedure is followed to generate client private key, client certificate request and then sign certificate request by CA certificate.
The client key pair is generated by the following command –
Fig. 8: Screenshot of the command to generate client key pair
The client certificate request is made by running the following command –
opensslreq -new -out mosquitto_client.csr -key mosquitto_client.key
The CA certificate for signing the client certificate is generated by running the following command –
Fig. 9: Screenshot of the command to sign client certificate by CA certificate
Now there are total 9 files created with the following names –
– CA.key: CA key file (public and private)
– CA.crt: CA certificate
– CA.srl: CA serial number file
– mosquitto_server.key: server key
– mosquitto_server.csr: server certificate request
– mosquitto_server.crt: server certificate
– mosquitto_client.key: client key
– mosquitto_client.csr: client certificate request
– mosquitto_client.crt: client certificate
Next, client authentication also needs to be enabled. From this point on, clients will be connected to the MQTT server only when they know the username and password of the MQTT server. Follow the steps below to enable authentication –
1) Create server_password.txt file anywhere and within this file create username and password as follows –
Fig. 10: Screenshot of the command to create server_password.txt
2) Then encrypt this file using the following command –
Fig. 11: Screenshot of the command to encrypt the Server_password.txt file
3) Then install the Mosquitto broker. Since Linux is used, to install the broker, first add the Mosquitto repository by running the following command and install the mosquito broker –
Fig. 12: Screenshot of the command to install Mosquito Broker
Then install Mosquitto clients for PC by installing Mosquitto developer libraries and Mosquitto client package as follows –
Fig. 13: Screenshot of the command to install Mosquito clients
mqtt-spy can also be used together with the MQTT client. To use MQTT spy, skip the above steps. Now the broker is installed along with the client and the certificates too.
Mosquitto by default is configured to run on port 1883. Therefore, there is a need for a TLS port, i.e. 8883. The Mosquitto broker configuration can be changed to listen on the encrypted port. But before that, of the 9 files generated, copy the following 3 files and paste them into the /etc/mosquitto/ folder
• CA.crt – Paste this file into /etc/mosquitto/ca_certificates. If this folder is not present, we can create a folder and paste the file
• mosquitto_server.crt – Paste this file into /etc/mosquitto/certs.
• mosquitto_server.key – Paste this file into /etc/mosquitto/certs
Now copy the password file “server_password.txt” and paste it into the /etc/mosquitto path. Now, there is the default configuration file. Change the file – mosquitto.conf as follows –
Fig. 14: Screenshot of changes to the default configuration file
Now the configuration file has been configured. It's time to run the Mosquitto broker with this configuration file. Run it as superuser by the following commands –
sudomosquitto –c mosquito.conf –v
It can be seen that the Mosquitto broker is running on port 8883 with TLS security as follows –
Fig. 15: Screenshot of Mosquito Broker running on encrypted port 8883
It's time to test the broker with MQTT clients. To publish the data to the Mosquitto broker, run the following command –
Fig. 16: Screenshot of the command to publish data to Mosquito Broker
And to subscribe to the MQTT broker topic by running the following command –
Fig. 17: Screenshot of the command to subscribe to the MQTT Broker topic
It can be seen that everything that is sent in the MQTT broker by the publisher side is received by the subscriber side. This client-server communication is done in a highly encrypted way.
Fig. 18: Screenshot of client-server communication using MQTT broker