1. 首页首页
  2. 编程汇总编程汇总

2025年mqtt支持加密通讯

编程汇总 阅读 3

mqtt支持加密通讯1 mqtt 第三方库支持 openssl a 编译 openssl 库 我使用的是 1 0 1 在 mqtt 源码目录下创建 openssl 文件夹 并拷贝编译完成的库文件与头文件到此文件夹下 b 修改 mqtt 源码从 git 上获取 https github com eclipse paho mqtt c git 编译选项 PAHO WITH SSL OPENSSL SEARCH PATH

1. mqtt第三方库支持openssl
a, 编译openssl库(我使用的是1.0.1),在mqtt源码目录下创建openssl文件夹,并拷贝编译完成的库文件与头文件到此文件夹下。
b, 修改mqtt(源码从git上获取https://github.com/eclipse/paho.mqtt.c.git )编译选项,PAHO_WITH_SSL,OPENSSL_SEARCH_PATH。修改后需要重新清除,重新编译。


2. mosquitto支持openssl
a, 通过apt-get install mosquitto安装的mosquitto默认关闭了ssl相关功能
b, 通过git(https://github.com/eclipse/mosquitto.git)重新安装编译mosquitto
c, mosquitto 配置,启动命令mosquitto -c mosquitto.conf -v

port 8883

cafile /home/mosquitto_logs/certificate/ca/ca.crt

certfile /home/mosquitto_logs/certificate/server/server.crt

keyfile /home/mosquitto_logs/certificate/server/server.key

3. 自己创建需要的认证文件
a, pc端安装openssl
b, 使用generate.sh脚本创建认证文件,生成pem

# * Redistributions in binary form must reproduce the above copyright

#   notice, this list of conditions and the following disclaimer in the

#   documentation and/or other materials provided with the distribution.

# * Neither the name of the axTLS project nor the names of its

#   contributors may be used to endorse or promote products derived

#   from this software without specific prior written permission.

#

# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS

# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT

# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 

# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR

# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED

# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 

# OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING

# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

#



#

# Generate the certificates and keys for testing.

#





PROJECT_NAME="TLS Project"



# Generate the openssl configuration files.

cat > ca_cert.conf << EOF  

[ req ]

distinguished_name     = req_distinguished_name

prompt                 = no



[ req_distinguished_name ]

 O                      = $PROJECT_NAME Dodgy Certificate Authority

EOF



cat > server_cert.conf << EOF  

[ req ]

distinguished_name     = req_distinguished_name

prompt                 = no



[ req_distinguished_name ]

 O                      = $PROJECT_NAME

 CN                     = 192.168.199.188

EOF



cat > client_cert.conf << EOF  

[ req ]

distinguished_name     = req_distinguished_name

prompt                 = no



[ req_distinguished_name ]

 O                      = $PROJECT_NAME Device Certificate

 CN                     = 192.168.199.168

EOF



mkdir ca

mkdir server

mkdir client

mkdir certDER



# private key generation

openssl genrsa -out ca.key 1024

openssl genrsa -out server.key 1024

openssl genrsa -out client.key 1024





# cert requests

openssl req -out ca.req -key ca.key -new \

            -config ./ca_cert.conf

openssl req -out server.req -key server.key -new \

            -config ./server_cert.conf 

openssl req -out client.req -key client.key -new \

            -config ./client_cert.conf 



# generate the actual certs.

openssl x509 -req -in ca.req -out ca.crt \

            -sha1 -days 5000 -signkey ca.key

openssl x509 -req -in server.req -out server.crt \

            -sha1 -CAcreateserial -days 5000 \

            -CA ca.crt -CAkey ca.key

openssl x509 -req -in client.req -out client.crt \

            -sha1 -CAcreateserial -days 5000 \

            -CA ca.crt -CAkey ca.key







openssl x509 -in ca.crt -outform DER -out ca.der

openssl x509 -in server.crt -outform DER -out server.der

openssl x509 -in client.crt -outform DER -out client.der





mv ca.crt ca.key ca/

mv server.crt server.key server/

mv client.crt client.key client/



mv ca.der server.der client.der certDER/



rm *.conf

rm *.req

rm *.srl

c, rm_ssl.sh

rm ca/ -rf

rm certDER/ -rf

rm client/ -rf

rm server/ -rf

d, 不使用脚本生成认证文件

openssl genrsa -des3 -out ca.key 2048

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

openssl genrsa -out server.key 2048

openssl req -new -out server.csr -key server.key

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3600

e, 方便统一操作,对文件目录结构操作

certificate

├── ca

│   ├── ca.crt

│   ├── ca.key

│   └── ca.srl

└── server

    ├── server.crt

    ├── server.csr

    └── server.key

4. Linux下两个终端通讯
a, mosquitto_sub -h 192.168.199.188 -p 8883 -t echo_on –cafile ca/ca.crt –cert client/client.crt –key client/client.key
b, mosquitto_pub -h 192.168.199.188 -p 8883 -t echo_on -m “temperature:15” –cafile ca/ca.crt –cert client/client.crt –key client/client.key
c, 实际效果同预期一致

5. 方便抓wireshark包,Linux终端同windows mqttfx通讯
a, linux下终端连接,参考列项4
b, mqtt fx针对ssl的配置如下
使用列项3中bc方法生成的认证文件如下配置


使用列表3中de方法生成的认证文件如下配置


c, wireshark抓包截图
使用tsl


未使用tls

参考:https://blog.csdn.net/espressif/article/details/78541435
https://baijiahao.baidu.com/s?id=1610669918084024139&wfr=spider&for=pc

编程小号
上一篇 2025-01-17 16:21
下一篇 2025-01-17 16:11

相关推荐

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
如需转载请保留出处:https://bianchenghao.cn/hz/148684.html