我们知道,MQTT mosquitto支持单向和双向的SSL认证,首先咱们来看一下单项认证的配置文件应该如何配置。所谓的单向SSL证书,指的是,MQTT的客户端访问MQTT的服务器端的时候,如果用到了SSL加密通信,在建立SSL加密通信前,客户端需要通过证书来验证服务端是否是可信任的,所以客户端会把服务器端传过来的证书和自身的已经的在某种途径下得到的服务器端CA证书或者服务器证书进行比较,如果匹配成功,则运行建立可信任的安全的SSL连接。
我们知道启动MQTT mosquitto的时候,可以通过下面的命令
mosquitto [-c config file] [ -d | --daemon ] [-p port number] [-v]
来指定启动的方式,其中,-c 后面跟的是启动mosquitto可以调整的参数,比如是否开启基本认证,端口是什么,SSL单向和双向的认证配置等等。
-d 表示MQTT mosquitto将在后台运行。
-p 代表当前的mosquitto服务实例启动以后,其监听端口号,这个配置的覆盖[-c config file] 指定的配置文件中的端口
-v 代码调试模式(verbose)可以输出更多的信息
假设我们自己已经通过OpenSSL生成了相关的CA证书,和服务器端自签名公钥和私钥。其位置分布存储在:
(1) CA证书的位置
D:\mosquitto\certificates\ca.crt
(2) 服务器端的自签名的公钥的地址D:\mosquitto\certificates\server.crt
(3) 服务器端的自签名的公钥的地址
D:\mosquitto\certificates\server.key
假设下面的配置存储在一个名为D:\mosquitto\singlewayssl.conf的文本文件中,
# See also the mosquitto-tls man page. # At least one of cafile or capath must be defined. They both # define methods of accessing the PEM encoded Certificate # Authority certificates that have signed your server certificate # and that you wish to trust. # cafile defines the path to a file containing the CA certificates. # capath defines a directory that will be searched for files # containing the CA certificates. For capath to work correctly, the # certificate files must have ".crt" as the file ending and you must run # "c_rehash <path to capath>" each time you add/remove a certificate. cafile D:\mosquitto\certificates\ca.crt #capath # Path to the PEM encoded server certificate. certfile D:\mosquitto\certificates\server.crt # Path to the PEM encoded keyfile. keyfile D:\mosquitto\certificates\server.key # This option defines the version of the TLS protocol to use for this listener. # The default value will always be the highest version that is available for # the version of openssl that the broker was compiled against. For openssl >= # 1.0.1 the valid values are tlsv1.2 tlsv1.1 and tlsv1. For openssl < 1.0.1 the # valid values are tlsv1. tls_version tlsv1
则可以通过下面的方式启动mosquitto服务器端的单向的SSL服务。
mosquitto D:\mosquitto\singlewayssl.conf -p 1884 -vMQTT mosquitto[1]---- 单向SSL认证的配置方式
原文地址:http://blog.csdn.net/chancein007/article/details/46293031