Mosquitto 单向SSL配置

摘自:https://blog.csdn.net/a_bcd_123/article/details/70167833

2017年04月14日 06:56:06 strongjack 阅读数:694
 
 版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/a_bcd_123/article/details/70167833

1.生成证书

要单向配置SSL 需要 做三项前置工作

1. 生成CA证书

2.生成server 端证书,server 端key

github 的一个开源项目已经做到这点 ,详情可见 https://github.com/iandl/mqttitude/blob/master/tools/TLS/generate-CA.sh

为方便阅读,整个shell 代码先贴出来

#!/bin/sh

#(@)generate-CA.sh - Create CA key-pair and server key-pair signed by CA

# Copyright (c) 2013 Jan-Piet Mens <jpmens()gmail.com>

# All rights reserved.

#

# Redistribution and use in source and binary forms, with or without

# modification, are permitted provided that the following conditions are met:

#

# 1. Redistributions of source code must retain the above copyright notice,

#    this list of conditions and the following disclaimer.

# 2. Redistributions in binary form must reproduce the above copyright

#    notice, this list of conditions and the following disclaimer in the

#    documentation and/or other materials provided with the distribution.

# 3. Neither the name of mosquitto nor the names of its

#    contributors may be used to endorse or promote products derived from

#    this software without specific prior written permission.

#

# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"

# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE

# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

# POSSIBILITY OF SUCH DAMAGE.

set -e

DIR=${TARGET:='.'}

# A space-separated list of alternate hostnames (subjAltName)

# may be empty ""

ALTHOSTNAMES="broker.example.com foo.example.de"

CA_ORG='/O=MQTTitude.org/emailAddress=nobody@example.net'

CA_DN="/CN=An MQTT broker${CA_ORG}"

CACERT=${DIR}/ca

SERVER=${DIR}/server

SERVER_DN="/CN=$(hostname -f)$CA_ORG"

keybits=2048

openssl=$(which openssl)

function maxdays() {

	nowyear=$(date +%Y)

	years=$(expr 2032 - $nowyear)

	days=$(expr $years '*' 365)

	echo $days

}

function getipaddresses() {

	/sbin/ifconfig |

		sed -En '/inet6? /p' |

		sed -Ee 's/inet6? (addr:)?//' |

		awk '{print $1;}' |

		sed -e 's/[%/].*//' |

		egrep -v '(::1|127\.0\.0\.1)'	# omit loopback to add it later

}

function addresslist() {

	ALIST=""

	for a in $(getipaddresses); do

		ALIST="${ALIST}IP:$a,"

	done

	ALIST="${ALIST}IP:127.0.0.1,IP:::1,"

	for h in $(echo ${ALTHOSTNAMES}); do

		ALIST="${ALIST}DNS:$h,"

	done

	ALIST="${ALIST}DNS:localhost"

	echo $ALIST

}

days=$(maxdays)

if [ -n "$CAKILLFILES" ]; then

	rm -f $CACERT.??? $SERVER.??? $CACERT.srl

fi

if [ ! -f $CACERT.crt ]; then

	# Create un-encrypted (!) key

	$openssl req -newkey rsa:${keybits} -x509 -nodes -days $days -extensions v3_ca -keyout $CACERT.key -out $CACERT.crt -subj "${CA_DN}"

	echo "Created CA certificate in $CACERT.crt"

	$openssl x509 -in $CACERT.crt -nameopt multiline -subject -noout

	chmod 400 $CACERT.key

	chmod 444 $CACERT.crt

fi

if [ ! -f $SERVER.key ]; then

	echo "--- Creating server key and signing request"

	$openssl genrsa -out $SERVER.key $keybits

	$openssl req -new \

		-out $SERVER.csr \

		-key $SERVER.key \

		-subj "${SERVER_DN}"

	chmod 400 $SERVER.key

fi

if [ -f $SERVER.csr -a ! -f $SERVER.crt ]; then

	# There's no way to pass subjAltName on the CLI so

	# create a cnf file and use that.

	CNF=`mktemp /tmp/cacnf.XXXXXXXX` || { echo "$0: can't create temp file" >&2; exit 1; }

	sed -e 's/^.*%%% //' > $CNF <<\!ENDconfig

	%%% [ JPMextensions ]

	%%% basicConstraints        = critical,CA:false

	%%% nsCertType              = server

	%%% keyUsage                = nonRepudiation, digitalSignature, keyEncipherment

	%%% nsComment               = "Broker Certificate"

	%%% subjectKeyIdentifier    = hash

	%%% authorityKeyIdentifier  = keyid,issuer:always

	%%% subjectAltName          = $ENV::SUBJALTNAME

	%%% # issuerAltName           = issuer:copy

	%%% nsCaRevocationUrl       = http://mqttitude.org/carev/

	%%% nsRevocationUrl         = http://mqttitude.org/carev/

!ENDconfig

	SUBJALTNAME="$(addresslist)"

	export SUBJALTNAME		# Use environment. Because I can. ;-)

	echo "--- Creating and signing server certificate"

	$openssl x509 -req \

		-in $SERVER.csr \

		-CA $CACERT.crt \

		-CAkey $CACERT.key \

		-CAcreateserial \

		-CAserial "${DIR}/ca.srl" \

		-out $SERVER.crt \

		-days $days \

		-extfile ${CNF} \

		-extensions JPMextensions

	rm -f $CNF

	chmod 444 $SERVER.crt

fi

实际过程中大家可根据自己的需要修改这段脚本的内容,为了快速搭建我们的单向SSL, 我们这里不做任何修改,直接执行这段shell

执行完成后可生成  server.crt  server.csr  server.ke ca.crt  ca.key  ca.srl

2.配置mosquitto 配置文件

 

ca.crt,  sever.crt, server.key 是第一步中生成的文件

启动 broker

启动 subscribe 端, 这里需要注意,如果sbuscreibe 端和broker 不在同一台机器,请将第一步生成的ca.crt 拷贝到 该机器

启动 publish 端,  如果publish 端和broker 不在同一台机器,请将第一步生成的ca.crt 拷贝到 该机器

配置完成,可以发送,接收消息了

Mosquitto 单向SSL配置的更多相关文章

  1. mosquitto --- 单向认证

    1.生成证书要单向配置SSL 需要 做三项前置工作 1. 生成CA证书 2.生成server 端证书,server 端key github 的一个开源项目已经做到这点 ,详情可见 https://gi ...

  2. SSL 通信原理及Tomcat SSL 配置

    SSL 通信原理及Tomcat SSL 双向配置 目录1 参考资料 .................................................................. ...

  3. Apollo单向SSL认证(1)

    参考链接:https://www.cnblogs.com/benwu/articles/4891758.html keytool -genkey -alias mybroker -keyalg RSA ...

  4. 百度CDN 网站SSL 配置

    百度CDN SSL配置步骤 一般从SSL提供商购买到的证书是CRT二进制格式的. 1. 将 CRT 导入到IIS中, 然后从IIS中导出为PFX格式 2. 下载openssl,执行下面命令 提取用户证 ...

  5. Nginx SSL配置过程

    1. 在godaddy购买了UCC SSL(最多5个域名)的SSL证书 2. 设置证书 -- 管理 -- 3. 需要制作证书申请CSR文件(在线工具制作或者openssl命令制作),保存CSR和key ...

  6. ssl配置

    Apache SSL配置 作者: JeremyWei | 可以转载, 但必须以超链接形式标明文章原始出处和作者信息及版权声明网址: http://weizhifeng.net/apache-ssl.h ...

  7. nginx反向代理cas server之1:多个cas server负载均衡配置以及ssl配置

    系统环境采用centOS7 由于cas server不支持session持久化方式的共享,所以请用其他方式代替,例如:组播复制. 为什么不支持session持久化:http://blog.csdn.n ...

  8. centos7邮件服务器SSL配置

    在上篇文章centos7搭建postfix邮件服务器的搭建中我们没有配置SSL,接下来我们在这篇文章中讲讲centos7邮件服务器SSL配置. 1. 创建SSL证书 [root@www ~]# cd ...

  9. Sahi (2) —— https/SSL配置(102 Tutorial)

    Sahi (2) -- https/SSL配置(102 Tutorial) jvm版本: 1.8.0_65 sahi版本: Sahi Pro 6.1.0 参考来源: Sahi官网 Sahi Quick ...

随机推荐

  1. 关于不同应用程序存储IO类型的描述

    介绍 存储系统作为数据的载体,为前端的服务器和应用程序提供读写服务.存储阵列某种意义上来说,是对应用服务器提供数据服务的后端“服务器”.应用服务器对存 储系统发送数据的“读”和“写”的请求.然而,不同 ...

  2. 准确计算Java中对象的大小

    由于在项目中需要大致计算一下对象的内存占用率(Hadoop中的Reduce端内存占用居高不下却又无法解释),因此深入学习了一下如何准确计算对象的大小. 使用system.gc()和java.lang. ...

  3. [转]第一次使用Android Studio时你应该知道的一切配置(三):gradle项目构建

    目录: 1.gradle的概念 2.gradle配置jar包,和libs文件夹导入jar包的区别 3.签名打包: (1)Studio (2)命令行 (3)gradle wrapper的原理 4.Bui ...

  4. node的socket.io的之事件篇

    socket.io类库不但可以相互发送消息,而且还可以通过socket端口对象的emit方法互相发送事件. emit在之前的事件上说过现在一句话带过:emit是用来手动触发事件的. socket.em ...

  5. Python - 第一个 Django 项目

    Django 的安装: pip3 install django==1.11.11 pip3 install -i https://pypi.tuna.tsinghua.edu.cn/simple/ d ...

  6. js控制电池

    js控制电池 判断设备是否在充电 navigator.getBattery().then(function(battery){ if(battery.charging) { alert("电 ...

  7. Oracle播放多条 INSERT ALL

    Oracle INSERT ALL 语句介绍 Oracle INSERT ALL 语句用来用一个 INSERT 语句添加多行.该行可以只使用一个SQL命令插入到一个表或多个表. 语法 Oracle I ...

  8. pycharm安装---优秀的IDE

    概述:pycharm当前来讲是python最优秀的IDE. 1. 官网下载安装包 2.解压 3. cd 到解压的bin文件中 4.执行sh ./pycharm.sh 5.锁定到图标中

  9. Tomcat官方文档关于数据源配置的内容

    虽然有网上有网友自己总结的文章,但说明得总是不够清晰,还是参考官方文档理解得比较透彻: http://tomcat.apache.org/tomcat-7.0-doc/jdbc-pool.html h ...

  10. GeoServer之图层的新建与发布

    GeoServer之图层的新建与发布 GeoServer的图层发布并不复杂,在经过: 1.创建工作区 2.添加新的数据存储 3.编写styles 后:我们就可以很简单的创建图层了. 1.在新建图层中选 ...