Secured MQTT broker on Raspberry pi 3 width esp32 controller (Part 1)
This article deals with how to set up the Mosquitto broker to communicate with a client using TLS/SSL protocol.
Overview
Why using ssl/tls protocol ?
It’s allows for ensuring that traffic is secure and reliable in both directions between a client and a server. This provides an additional layer of security for users who connect to an organization’s network or applications. It also allows for verifying connections with client devices that do not follow a connection process, such as Internet of Things (IoT) devices.
It prevents of the following attacks =>
. Man in the middle attack: Attackers on the path position themselves between a client and a server and intercept or modify communications between the two. When TLS is used, attackers on the path cannot authenticate themselves to either the client or the server, making this attack nearly impossible to carry out.
. Identity spoofing attacks: Attackers may attempt to impersonate a web server to a user, or vice versa. Identity spoofing attacks are much more difficult when both parties must authenticate using TLS certificates.
. Credential stuffing attacks: Attackers use sets of login credentials obtained from a data breach to attempt to log in as a legitimate user. Without a legitimately issued TLS certificate, credential stuffing attacks cannot succeed against organizations using TLS.
. Brute-force attacks: Typically carried out by bots, a brute-force attack involves an attacker using rapid trial and error to guess a user’s password. TLS ensures that a password is not sufficient to access an organization’s network. (Rate limiting is another way to address this type of bot attack.)
. Phishing attacks: The goal of a phishing attack is often to steal a user’s login credentials, which can then be used to compromise a network or application. Even if a user falls for such an attack, the attacker still needs a TLS certificate and corresponding private key in order to use those login credentials.
. Malicious API requests: When used for API security, TLS ensures that API requests come only from legitimate, authenticated users. This prevents attackers from sending malicious API requests aimed at exploiting a vulnerability or modifying the API’s behavior.
Prerequisites
- You should be familiar with the Raspberry Pi — read Getting Started with Raspberry Pi.
- You should have the Raspbian operating system installed in your Raspberry Pi — watch this youtube video for installing Raspbian Lite, Enabling and Connecting with SSH.
- Get installed MQTT explorer to test your mqtt mosquitto broker
Parts Required
These are 2 hardwares required for this demo
NB : If you feeling a bit lost i’ve got nice tutorial for you , you can follow this link .
Before to start this tutorial, i just wanted to mention that this article is an overview of all of my research process and reading, in view to build a personal project.It’s one demonstration between many available on the web.
=========================================================
LET’S DO IT ! (FIRST PART)
We will be using openssl to create our own Certificate authority (CA), Server keys and certificates.
We will also test the broker by using the MQTT Explorer client to connect to the broker using a SSL connection.
In this case we only need a trusted server certificate on the Client.
We do not need to create client certificates and keys.
Important Note: Many other tutorial on the web also configure username and password authentication at the same time. I don’t recommend you do this as errors could be cause by either SSL or authentication. Only do one thing at one time when testing.
Client Requirements
- A CA (certificate authority) certificate of the CA that has signed the server certificate on the Mosquitto Broker.
Broker Requirements
- CA certificate of the CA that has signed the server certificate on the Mosquitto Broker.
- CA certificated server certificate.
- Server Private key for decryption.
Creating and Installing Broker Certificates and keys
Creation of certificates In this section, we will generate the keys and certificates that will allow us to secure the communication between the client and the MQTT broker. Indeed, the TLS protocol uses certificates and encryption keys to respectively authenticate (ensure identity) the actors of the communication and encrypt it.
sudo apt-get update
sudo apt-get upgrade -yWe will then create a folder in which we will generate our certificates.To create these certificates and keys we use the openssl software.
Check openssl version if it is installed already :
openssl --versionotherwise :
sudo apt install opensslCommands and procedures apply to linux but the folder locations will be different and you may need to change permissions, as well as using the sudo command.
NB : If you have to authorize reading access to any repository you can use this command too (makes every single file on the system under / (root) have rwxrwxrwx permissions)
sudo chmod 777 -R /path/to/Dirmkdir test_certs
cd test_certsStep 1:
First create a key pair for the CA
Command is:
sudo openssl genrsa -out ca.key 2048
Step 2:
Now Create certificate for the CA using the CA key that we created in step 1
sudo openssl req -new -x509 -days 3650 -key ca.key -out ca.crtStep 3:
Now we create a server key pair that will be used by the broker
sudo openssl genrsa -out server.key 2048
Step 4:
Now we create a certificate request .csr. When filling out the form the common name is important and is usually the domain name of the server.
You can provide the information as shown in the following exemple or you can enter different info as required. Please enter the Common name as your raspberry ip adress or pc name.
sudo openssl req -new -out server.csr -key server.key
Useful OpenSSL Commands
Verify that a server certificate is signed by a particular CA. Use the Ca.crt file and the server.crt file.
openssl verify -CAfile ca.crt server.crtit should return
server.crt: OKNB : to check your certificates inputs info on server.crt :
openssl x509 -in server.crt -text -nooutStep 5:
Now we use the CA key to verify and sign the server certificate. This creates the server.crt file
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360 
Note: We don’t need to copy the CA.key file. This file is used when creating new server or client certificates.
Step 6:
Copy the files ca.crt, server.crt and server.key to a folder under the mosquitto folder. I have used a folder called certs already.
on Linux you should already have a ca_certificates folder under /etc/mosquitto/ and also a certs folder.
Here is the command line to copy from the test_certs folder to the mosquitto folder :
sudo cp -R test_certs/ /etc/mosquitto/
Step 7:
Edit the mosquitto.conf file as shown:
cd /etc/mosquitto/mosquitto.conf
sudo nano mosquitto.conf 
To finish launch your mosquitto broker width your edited config file , in view to check if the connection is securised :
sudo mosquitto -v -c /etc/mosquitto/mosquitto.conf
You may have slightly different result because i’ve different configurations
Just in case your server is already running on port 1883 stop your broker width this command and launch it again width your mosquitto config file.
sudo service mosquitto stopOpen another terminal in view to subscribe to a topic, then go to your folder where you have generated your ssl files :
Subscribe to a topic channel call “test” and set your own <broker IPADRESS> width this command :
sudo mosquitto_sub -h <broker IPADRESS> -p 8883 -t test - cafile ca.crt - cert server.crt - key server.key
To finish this tutorial open a third terminal navigate to your test_certs folder, and test if you can publish to the subscribed channel :
sudo mosquitto_pub -h <IPADRESS> -p 8883 -t test -m helloworld - cafile ca.crt - cert server.crt - key server.key
You should see in your second terminal a message appeared!!!
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Double check the connection the security width the MQTT EXPLORER CLIENT
If you MQTT explorer client application is installed on another computer copy past your test_certs folder on usb key in view to insert ca.crt , server.crt and server.key in the required fields like in the following image:
Finally check width it if you can publish to the test topic from your client:
Wrapping Up
In summary, I’ve shown you the First part that allow you to set a secure MQTT communication protocol.
If everything is all right, you can try again width this homemade bash script , that will be quicker to generate certificate :
1) Create a new text file with a .sh extension.
touch bashscript.sh2) Add #!/bin/bash to the top of it.
This is necessary for the “make it executable” part.
3) Add lines that you’d normally type at the command line.The other inputs will be left blank.
#!/bin/bash
IP="<IP_BROKER_ADRESS>"
SUBJECT_CA="/C=FR/O=IOT/OU=client/CN=test"
SUBJECT_SERVER="/C=FR/O=iot/OU=server/CN=$IP"
function generate_CA () {
echo "$SUBJECT_CA"
openssl req -x509 -nodes -sha256 -newkey rsa:2048 -subj "$SUBJECT_CA" -days 365 -keyout ca.key -out ca.crt
}
function generate_server () {
echo "$SUBJECT_SERVER"
openssl req -nodes -sha256 -new -subj "$SUBJECT_SERVER" -keyout server.key -out server.csr
openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365
}
function copy_keys_to_broker () {
sudo mkdir /etc/mosquitto/ca_certificates
sudo cp ca.crt /etc/mosquitto/ca_certificates/
sudo cp server.crt /etc/mosquitto/ca_certificates/
sudo cp server.key /etc/mosquitto/ca_certificates/
sudo chmod 777 /etc/mosquitto/ca_certificates/
}
generate_CA
generate_server
copy_keys_to_broker4) At the command line, run chmod u+x YourScriptFileName.sh
I ran this command to make the file executable.
sudo chmod u+x bashscript.sh5) Run it whenever you need!
Now, whenever I deploy changes to mqtt client , I run ./bashscript.sh and boom. Done.
The second part will be shorter , your goal will be to connect the esp32 to the mqtt mosquitto broker width ssl/tls certificate.
