mosquitto MQTT代理和具有SSL/TLS的Java客户端 [英] mosquitto MQTT broker and Java client with SSL / TLS

问题描述

我正在使用mosquitto和Eclipse PAHO Java客户端.

I'm using mosquitto and the Eclipse PAHO Java client.

在普通TCP套接字上，一切都正常. 但是现在我想使用SSL进行加密(不一定需要加密).

Everything is working fine on plain TCP sockets. but now I want to use SSL for athentication (encryption not necessarily needed).

首先，我按照 http://mosquitto.org/man/mosquitto-tls-7.html

在mosquitto客户端中，如果没有-不安全选项，我将不发布消息，这意味着我必须

in mosquitto client I can not publish my message without the --insecure option, means i have to

mosquitto_pub -h <server-ip> -p <port> -t "/topic1/test" -m "testmsg" --cafile ca_cert.pem --cert client.crt --key client_priv.key --tls-version tlsv1.2 --insecure

否则，mosquitto控制台上出现协议错误，提示

otherwise an protocol error appears on the mosquitto console, which says

1379576698: OpenSSL Error: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
1379576698: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1379576698: Socket read error on client (null), disconnecting.

-不安全表示不检查服务器证书主机名是否与远程主机名匹配.

-- insecure means not to check that the server certificate hostname matches the remote hostname.

对我来说有点奇怪的是，我正在尝试使用TLS，但是代理使用SSL进行了响应.

little bit strange for me is that I'm trying to TLSbut the broker responds something with SSL.

但是我试图在我的java paho客户端中启用SSL支持， 我坚持这里的例子: https://gist.github.com/sharonbn/4104301

however I am trying to enable SSL support in my java paho client, i stick to the example here: https://gist.github.com/sharonbn/4104301

在示例中您可以看到

SSLContext context = SSLContext.getInstance("TLSv1")

这是否意味着我正在尝试连接TLSv1，对吗? 不幸的是我得到了

so does it mean I am trying to connect with TLSv1, right? unfortunately i get an

javax.net.ssl.SSLHandshakeException: message_unknown

我尝试切换到TLSv1.2(因为它已经在mosquitto_pub上对我有用)，并且更改了上下文

I tried to switch to TLSv1.2 (because it has been working for me with mosquitto_pub) and changed the context by

SSLContext context = SSLContext.getInstance("TLSv1.2")

但是我得到一个

NoSuchAlgorithmException: Unknown protocol: TLSv1.2

我不知道哪一方应该是未知的...

i don't know on which side this should be unknown...

顺便说一句:如果我这样做

btw: if i do

mosquitto_pub -h <server-ip> -p <port> -t "/topic1/test" -m "testmsg" --cafile ca_cert.pem --cert client.crt --key client_priv.key --tls-version tlsv1 --insecure

结果是

1379595808: OpenSSL Error: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
1379595808: Socket read error on client (null), disconnecting.

如果我在Java客户端中尝试使用，则相同

the same if i try it out of my java client

1379595995: OpenSSL Error: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
1379595995: Socket read error on client (null), disconnecting.

所以我想我必须在Java客户端上使用/启用tlsv1.2.但是如何?

so i think i have to use/enable tlsv1.2 on the java client side. but how?

有人可以帮助我吗? 在此先多谢！ 和平

anybody out there who can help me? Thanks a lot in advance! peace

推荐答案

这里有几点.

首先，您应该查看生成正确的证书.如文档所述，-不安全不应该在生产中使用，因此值得重点关注. mosquitto-tls中的示例非常基础.如果遵循该过程，则必须将服务器证书的commonName设置为与服务器的主机名匹配.如果要在本地计算机上进行测试，请使用commonName = localhost.我不能太强调使用--insecure使得使用TLS基本毫无意义.创建证书的一种更好的方法是添加一些subjectAltName条目，以定义哪些主机名和/或IP地址对该证书有效. https中给出了使用此功能生成证书的示例. ://github.com/binarybucks/mqttitude/blob/master/tools/TLS/generate-CA.sh 请注意，您需要使用mosquitto 1.2.1才能正常工作.

First things first, you should look at generating the correct certificates. As the documentation says, --insecure should not be used in production so it's worth focusing on that. The examples in mosquitto-tls are very basic. If you follow that procedure you must set the commonName of your server certificate to match the hostname of the server. If you are doing testing on your local computer, use commonName=localhost. I can't stress enough that using --insecure makes using TLS basically pointless. A much better way of creating a certificate is to add some subjectAltName entries to define which hostnames and/or ip addresses are valid for that certificate. An example of generating certificates with this feature is given in https://github.com/binarybucks/mqttitude/blob/master/tools/TLS/generate-CA.sh Note that you will need mosquitto 1.2.1 for this to work properly.

继续进行TLS版本问题.听起来非常像您的JRE不支持TLSv1.2.根据这个问题至少适用于TLSv1.2的IBM JRE 6/7或Oracle JRE/OpenJDK 7.尝试在各处使用TLSv1，以确保您的Java代码在其他地方没有问题.您可以通过在配置文件中定义服务器证书的位置使用选项tls_version tlsv1将mosquitto配置为使用TLSv1.

Moving on to the TLS version issue. It sounds very much like your JRE doesn't support TLSv1.2. According to this question you need at least IBM JRE 6/7 or Oracle JRE/OpenJDK 7 for TLSv1.2. Try using TLSv1 everywhere to ensure that your Java code doesn't have a problem somewhere else. You can configure mosquitto to use TLSv1 by using the option tls_version tlsv1 in your config file, right where you define the server certificates.

TLS和SSL术语经常互换使用.除了引用旧协议版本时，实际上不应再使用SSL，但是SSL一直存在，当人们说SSL时，它们通常表示TLS.

The terms TLS and SSL are often used interchangeably. SSL shouldn't really be used any more, except when referring to old protocol versions, but it has stuck and when people say SSL they often mean TLS.

这篇关于mosquitto MQTT代理和具有SSL/TLS的Java客户端的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！