Mosquitto 单向SSL配置

摘自:https://blog.csdn.net/a_bcd_123/article/details/70167833

2017年04月14日 06:56:06 strongjack 阅读数:694
 
 版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/a_bcd_123/article/details/70167833

1.生成证书

要单向配置SSL 需要 做三项前置工作

1. 生成CA证书

2.生成server 端证书,server 端key

github 的一个开源项目已经做到这点 ,详情可见 https://github.com/iandl/mqttitude/blob/master/tools/TLS/generate-CA.sh

为方便阅读,整个shell 代码先贴出来

#!/bin/sh

#(@)generate-CA.sh - Create CA key-pair and server key-pair signed by CA

# Copyright (c) 2013 Jan-Piet Mens <jpmens()gmail.com>

# All rights reserved.

#

# Redistribution and use in source and binary forms, with or without

# modification, are permitted provided that the following conditions are met:

#

# 1. Redistributions of source code must retain the above copyright notice,

#    this list of conditions and the following disclaimer.

# 2. Redistributions in binary form must reproduce the above copyright

#    notice, this list of conditions and the following disclaimer in the

#    documentation and/or other materials provided with the distribution.

# 3. Neither the name of mosquitto nor the names of its

#    contributors may be used to endorse or promote products derived from

#    this software without specific prior written permission.

#

# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"

# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE

# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

# POSSIBILITY OF SUCH DAMAGE.

set -e

DIR=${TARGET:='.'}

# A space-separated list of alternate hostnames (subjAltName)

# may be empty ""

ALTHOSTNAMES="broker.example.com foo.example.de"

CA_ORG='/O=MQTTitude.org/emailAddress=nobody@example.net'

CA_DN="/CN=An MQTT broker${CA_ORG}"

CACERT=${DIR}/ca

SERVER=${DIR}/server

SERVER_DN="/CN=$(hostname -f)$CA_ORG"

keybits=2048

openssl=$(which openssl)

function maxdays() {

	nowyear=$(date +%Y)

	years=$(expr 2032 - $nowyear)

	days=$(expr $years '*' 365)

	echo $days

}

function getipaddresses() {

	/sbin/ifconfig |

		sed -En '/inet6? /p' |

		sed -Ee 's/inet6? (addr:)?//' |

		awk '{print $1;}' |

		sed -e 's/[%/].*//' |

		egrep -v '(::1|127\.0\.0\.1)'	# omit loopback to add it later

}

function addresslist() {

	ALIST=""

	for a in $(getipaddresses); do

		ALIST="${ALIST}IP:$a,"

	done

	ALIST="${ALIST}IP:127.0.0.1,IP:::1,"

	for h in $(echo ${ALTHOSTNAMES}); do

		ALIST="${ALIST}DNS:$h,"

	done

	ALIST="${ALIST}DNS:localhost"

	echo $ALIST

}

days=$(maxdays)

if [ -n "$CAKILLFILES" ]; then

	rm -f $CACERT.??? $SERVER.??? $CACERT.srl

fi

if [ ! -f $CACERT.crt ]; then

	# Create un-encrypted (!) key

	$openssl req -newkey rsa:${keybits} -x509 -nodes -days $days -extensions v3_ca -keyout $CACERT.key -out $CACERT.crt -subj "${CA_DN}"

	echo "Created CA certificate in $CACERT.crt"

	$openssl x509 -in $CACERT.crt -nameopt multiline -subject -noout

	chmod 400 $CACERT.key

	chmod 444 $CACERT.crt

fi

if [ ! -f $SERVER.key ]; then

	echo "--- Creating server key and signing request"

	$openssl genrsa -out $SERVER.key $keybits

	$openssl req -new \

		-out $SERVER.csr \

		-key $SERVER.key \

		-subj "${SERVER_DN}"

	chmod 400 $SERVER.key

fi

if [ -f $SERVER.csr -a ! -f $SERVER.crt ]; then

	# There's no way to pass subjAltName on the CLI so

	# create a cnf file and use that.

	CNF=`mktemp /tmp/cacnf.XXXXXXXX` || { echo "$0: can't create temp file" >&2; exit 1; }

	sed -e 's/^.*%%% //' > $CNF <<\!ENDconfig

	%%% [ JPMextensions ]

	%%% basicConstraints        = critical,CA:false

	%%% nsCertType              = server

	%%% keyUsage                = nonRepudiation, digitalSignature, keyEncipherment

	%%% nsComment               = "Broker Certificate"

	%%% subjectKeyIdentifier    = hash

	%%% authorityKeyIdentifier  = keyid,issuer:always

	%%% subjectAltName          = $ENV::SUBJALTNAME

	%%% # issuerAltName           = issuer:copy

	%%% nsCaRevocationUrl       = http://mqttitude.org/carev/

	%%% nsRevocationUrl         = http://mqttitude.org/carev/

!ENDconfig

	SUBJALTNAME="$(addresslist)"

	export SUBJALTNAME		# Use environment. Because I can. ;-)

	echo "--- Creating and signing server certificate"

	$openssl x509 -req \

		-in $SERVER.csr \

		-CA $CACERT.crt \

		-CAkey $CACERT.key \

		-CAcreateserial \

		-CAserial "${DIR}/ca.srl" \

		-out $SERVER.crt \

		-days $days \

		-extfile ${CNF} \

		-extensions JPMextensions

	rm -f $CNF

	chmod 444 $SERVER.crt

fi

实际过程中大家可根据自己的需要修改这段脚本的内容,为了快速搭建我们的单向SSL, 我们这里不做任何修改,直接执行这段shell

执行完成后可生成  server.crt  server.csr  server.ke ca.crt  ca.key  ca.srl

2.配置mosquitto 配置文件

 

ca.crt,  sever.crt, server.key 是第一步中生成的文件

启动 broker

启动 subscribe 端, 这里需要注意,如果sbuscreibe 端和broker 不在同一台机器,请将第一步生成的ca.crt 拷贝到 该机器

启动 publish 端,  如果publish 端和broker 不在同一台机器,请将第一步生成的ca.crt 拷贝到 该机器

配置完成,可以发送,接收消息了

Mosquitto 单向SSL配置的更多相关文章

  1. mosquitto --- 单向认证

    1.生成证书要单向配置SSL 需要 做三项前置工作 1. 生成CA证书 2.生成server 端证书,server 端key github 的一个开源项目已经做到这点 ,详情可见 https://gi ...

  2. SSL 通信原理及Tomcat SSL 配置

    SSL 通信原理及Tomcat SSL 双向配置 目录1 参考资料 .................................................................. ...

  3. Apollo单向SSL认证(1)

    参考链接:https://www.cnblogs.com/benwu/articles/4891758.html keytool -genkey -alias mybroker -keyalg RSA ...

  4. 百度CDN 网站SSL 配置

    百度CDN SSL配置步骤 一般从SSL提供商购买到的证书是CRT二进制格式的. 1. 将 CRT 导入到IIS中, 然后从IIS中导出为PFX格式 2. 下载openssl,执行下面命令 提取用户证 ...

  5. Nginx SSL配置过程

    1. 在godaddy购买了UCC SSL(最多5个域名)的SSL证书 2. 设置证书 -- 管理 -- 3. 需要制作证书申请CSR文件(在线工具制作或者openssl命令制作),保存CSR和key ...

  6. ssl配置

    Apache SSL配置 作者: JeremyWei | 可以转载, 但必须以超链接形式标明文章原始出处和作者信息及版权声明网址: http://weizhifeng.net/apache-ssl.h ...

  7. nginx反向代理cas server之1:多个cas server负载均衡配置以及ssl配置

    系统环境采用centOS7 由于cas server不支持session持久化方式的共享,所以请用其他方式代替,例如:组播复制. 为什么不支持session持久化:http://blog.csdn.n ...

  8. centos7邮件服务器SSL配置

    在上篇文章centos7搭建postfix邮件服务器的搭建中我们没有配置SSL,接下来我们在这篇文章中讲讲centos7邮件服务器SSL配置. 1. 创建SSL证书 [root@www ~]# cd ...

  9. Sahi (2) —— https/SSL配置(102 Tutorial)

    Sahi (2) -- https/SSL配置(102 Tutorial) jvm版本: 1.8.0_65 sahi版本: Sahi Pro 6.1.0 参考来源: Sahi官网 Sahi Quick ...

随机推荐

  1. 【CSS】文字超出显示省略号&连续字符换行

    方法1.多行控制(css3) .text { width: 100%; word-break: break-all; display: -webkit-box; -webkit-line-clamp: ...

  2. js正则表达式验证大全--转载

    转载来源:http://www.cnblogs.com/hai-ping/articles/2997538.html#undefined //判断输入内容是否为空 function IsNull(){ ...

  3. Java 面向对象 初探

    public class test { public static void main(String[] args) { // 利用new关键字创建了一个Person对象 Person p = new ...

  4. Linux学习笔记 - Shell 输出命令

    1. echo 命令 echo 是基本的shell输出命令,她的语法是: echo string 我们也可以使用她来定制一些输出的格式,具体如下: 输出普通字符串 echo "it is a ...

  5. hotplug_uevent机制_修改mdev配置支持U盘自动挂载学习笔记

    1.接入U盘,看输出打印信息并分析 (1)输出信息 自动创建设备节点 (2)用ls命令查看 这里/dev/sda表示整个U盘,/dev/sda1表示这个U盘的第一个分区. (3)手动挂载,查看文件,手 ...

  6. node的socket.io类库概述

    socket.io是一个简单的小类库,该类库实现的功能类似于node中的net模块所实现的功能. 这些功能包括websocket通信,xhr轮询,jsonp轮询等. socket类库可以接受所有与服务 ...

  7. 5月8日上课笔记-浮动float

    IO文件复制 字符流(只能对文本文件进行操作) Reader Writer 字节流(对所有文件都能操作) InputStream OutputStream 一.浮动 边框弧度 border-radiu ...

  8. VMware 虚拟机中添加新硬盘的方法(转载)

    随着在虚拟机中存储的东西的逐渐的增加,虚拟机的硬盘也逐渐告急,因此急需拓展一块新的虚拟磁盘.以下便是在VMware 中添加新的虚拟磁盘的方法:   一.VMware新增磁盘的设置步骤 (建议:在设置虚 ...

  9. 升级phpcms的ckeditor编辑器

    首先说明一下为什么升级?网上很多人升级成了ueditor,可从fckedotror 到 ckeditor,我个人都是比较喜欢的,特别是开放式的插件方式.另外一个就是至少要懂得升级和插件的开发,这样也能 ...

  10. python‘s third day for me 字符串方法

    基 础 数 据 类 型 初 始   int  运算.+  -  *  /  **  %... bool: 判断,真假,作为条件. str:  存储少量的数据.操作简单,便于传输. list:  列表[ ...