使用MQTT代理在ESP8266 Wemos D1 Mini上进行SSL证书验证 [英] SSL certificate verification on ESP8266 Wemos D1 Mini with MQTT broker

问题描述

我有一个树莓派3，它具有树莓派拉伸功能.我已按照本教程在树莓派上安装并完全配置了MQTT代理:

I have a raspberry pi 3 with raspbian stretch as its operating system. I have installed and fully configured a MQTT broker on the raspberry pi following this tutorial: https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-the-mosquitto-mqtt-messaging-broker-on-ubuntu-16-04 Everything works fine and well on the broker's side. The certificates get renewed after 60 days and you can only connect to port 1883 via the localhost and the other ports (8883 and 8083) are open but can only be accessed using TLS version 1.2 and for the latter also using websockets. Below you can find the code of my configuration of mosquitto (/etc/mosquitto/conf.d/default.conf).

allow_anonymous false
password_file /etc/mosquitto/passwd

listener 1883 localhost

listener 8883
certfile /etc/letsencrypt/live/home.kamidesigns.be/cert.pem
cafile /etc/letsencrypt/live/home.kamidesigns.be/chain.pem
keyfile /etc/letsencrypt/live/home.kamidesigns.be/privkey.pem
tls_version tlsv1.2

listener 8083
protocol websockets
certfile /etc/letsencrypt/live/home.kamidesigns.be/cert.pem
cafile /etc/letsencrypt/live/home.kamidesigns.be/chain.pem
keyfile /etc/letsencrypt/live/home.kamidesigns.be/privkey.pem
tls_version tlsv1.2

我还购买了ESP8266 Wemos D1 Mini，以安全的方式连接到该代理.我通过以下链接使用了pubsubclient库:https://github.com/knolleary/pubsubclient用于我的MQTT客户端. 我使用此链接的主分支: https://github.com/esp8266/Arduino 安全的SSL连接.在下面，您会看到我用于编写Wemos D1 Mini的代码

I also bought a ESP8266 Wemos D1 Mini to connect to this broker in a secure way. I used the pubsubclient library from this link: https: //github.com/knolleary/pubsubclient for my MQTT client. I use the master branch of this link: https://github.com/esp8266/Arduino for my secure SSL connection. Below you see the code I used for programming my Wemos D1 Mini

#include <ESP8266WiFi.h>
#include <PubSubClient.h>
#include <time.h>

void callback(char* topic, byte* payload, unsigned int length) {
  Serial.print("Message arrived [");
  Serial.print(topic);
  Serial.print("] ");
  for (int i = 0; i < length; i++) {
    Serial.print((char)payload[i]);
  }
  Serial.println();

}

const char* ssid = "ssid";
const char* password = "wifipassword";

const char* host = "home.kamidesigns.be";
const int port = 8883;

WiFiClientSecure espClient;
PubSubClient client(host, port, callback, espClient);

long lastMsg = 0;
char msg[50];
int value = 0;

void setup() {
  Serial.begin(115200);
  Serial.println();
  Serial.print("connecting to ");
  Serial.println(ssid);
  WiFi.begin(ssid, password);
  while (WiFi.status() != WL_CONNECTED) {
    delay(500);
    Serial.print(".");
  }
  Serial.println("");
  Serial.println("WiFi connected");
  Serial.println("IP address: ");
  Serial.println(WiFi.localIP());

  // Synchronize time useing SNTP. This is necessary to verify that
  // the TLS certificates offered by the server are currently valid.
  Serial.print("Setting time using SNTP");
  configTime(8 * 3600, 0, "pool.ntp.org", "time.nist.gov");
  time_t now = time(nullptr);
  while (now < 1000) {
    delay(500);
    Serial.print(".");
    now = time(nullptr);
  }
  Serial.println("");
  struct tm timeinfo;
  gmtime_r(&now, &timeinfo);
  Serial.print("Current time: ");
  Serial.print(asctime(&timeinfo));
}

void reconnect() {
  // Loop until we're reconnected
  while (!client.connected()) {
    Serial.print("Attempting MQTT connection...");
    // Attempt to connect
    if (client.connect("ESP8266LightController","username","password")) {
      Serial.println("connected");
      // Once connected, publish an announcement...
      client.publish("outTopic", "hello world");
      // ... and resubscribe
      client.subscribe("inTopic");
    } else {
      Serial.print("failed, rc=");
      Serial.print(client.state());
      Serial.println(" try again in 5 seconds");
      // Wait 5 seconds before retrying
      delay(5000);
    }
  }
}

启动Wemos D1时，串行监视器显示: 连接到ssid .. WiFi已连接 IP地址: 192.168.0.213 使用SNTP设置时间. 当前时间:2017年10月14日星期六02:26:25 正在尝试建立MQTT连接...已连接

When I start my Wemos D1, the serial monitor says: connecting to ssid .. WiFi connected IP address: 192.168.0.213 Setting time using SNTP. Current time: Sat Oct 14 02:26:25 2017 Attempting MQTT connection...connected

这很好，这正是我想要的，但是我对Wemos D1在不验证服务器证书链的情况下如何能够连接到端口8883感到困惑.请记住，我从未将证书上传到Wemos D1或在代码中实现证书，但它仍然可以连接.

This is good and it is exactly what I wanted but I'm confused by how my Wemos D1 is able to connect to port 8883 without it verifying the certificate chain of the server? Remember that I never uploaded a certificate to the Wemos D1 or implemented a certificate into the code, and still it can connect.

推荐答案

2个选项之一

1. WiFiClientSecure包含公共CA证书列表，并正在根据该列表验证您的证书
2. 默认情况下，WiFiClientSecure默认不验证远程证书.

查看此问题，这似乎表明选项2最有可能连接后，您必须自己验证证书.

Looking at this issue it looks like option 2 is most likely as it implies you have to verify the cert yourself after the connection.

这篇关于使用MQTT代理在ESP8266 Wemos D1 Mini上进行SSL证书验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！