Mosquitto 单向SSL配置

摘自:https://blog.csdn.net/a_bcd_123/article/details/70167833

2017年04月14日 06:56:06 strongjack 阅读数:694
 
 版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/a_bcd_123/article/details/70167833

1.生成证书

要单向配置SSL 需要 做三项前置工作

1. 生成CA证书

2.生成server 端证书,server 端key

github 的一个开源项目已经做到这点 ,详情可见 https://github.com/iandl/mqttitude/blob/master/tools/TLS/generate-CA.sh

为方便阅读,整个shell 代码先贴出来

#!/bin/sh

#(@)generate-CA.sh - Create CA key-pair and server key-pair signed by CA

# Copyright (c) 2013 Jan-Piet Mens <jpmens()gmail.com>

# All rights reserved.

#

# Redistribution and use in source and binary forms, with or without

# modification, are permitted provided that the following conditions are met:

#

# 1. Redistributions of source code must retain the above copyright notice,

#    this list of conditions and the following disclaimer.

# 2. Redistributions in binary form must reproduce the above copyright

#    notice, this list of conditions and the following disclaimer in the

#    documentation and/or other materials provided with the distribution.

# 3. Neither the name of mosquitto nor the names of its

#    contributors may be used to endorse or promote products derived from

#    this software without specific prior written permission.

#

# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"

# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE

# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

# POSSIBILITY OF SUCH DAMAGE.

set -e

DIR=${TARGET:='.'}

# A space-separated list of alternate hostnames (subjAltName)

# may be empty ""

ALTHOSTNAMES="broker.example.com foo.example.de"

CA_ORG='/O=MQTTitude.org/emailAddress=nobody@example.net'

CA_DN="/CN=An MQTT broker${CA_ORG}"

CACERT=${DIR}/ca

SERVER=${DIR}/server

SERVER_DN="/CN=$(hostname -f)$CA_ORG"

keybits=2048

openssl=$(which openssl)

function maxdays() {

	nowyear=$(date +%Y)

	years=$(expr 2032 - $nowyear)

	days=$(expr $years '*' 365)

	echo $days

}

function getipaddresses() {

	/sbin/ifconfig |

		sed -En '/inet6? /p' |

		sed -Ee 's/inet6? (addr:)?//' |

		awk '{print $1;}' |

		sed -e 's/[%/].*//' |

		egrep -v '(::1|127\.0\.0\.1)'	# omit loopback to add it later

}

function addresslist() {

	ALIST=""

	for a in $(getipaddresses); do

		ALIST="${ALIST}IP:$a,"

	done

	ALIST="${ALIST}IP:127.0.0.1,IP:::1,"

	for h in $(echo ${ALTHOSTNAMES}); do

		ALIST="${ALIST}DNS:$h,"

	done

	ALIST="${ALIST}DNS:localhost"

	echo $ALIST

}

days=$(maxdays)

if [ -n "$CAKILLFILES" ]; then

	rm -f $CACERT.??? $SERVER.??? $CACERT.srl

fi

if [ ! -f $CACERT.crt ]; then

	# Create un-encrypted (!) key

	$openssl req -newkey rsa:${keybits} -x509 -nodes -days $days -extensions v3_ca -keyout $CACERT.key -out $CACERT.crt -subj "${CA_DN}"

	echo "Created CA certificate in $CACERT.crt"

	$openssl x509 -in $CACERT.crt -nameopt multiline -subject -noout

	chmod 400 $CACERT.key

	chmod 444 $CACERT.crt

fi

if [ ! -f $SERVER.key ]; then

	echo "--- Creating server key and signing request"

	$openssl genrsa -out $SERVER.key $keybits

	$openssl req -new \

		-out $SERVER.csr \

		-key $SERVER.key \

		-subj "${SERVER_DN}"

	chmod 400 $SERVER.key

fi

if [ -f $SERVER.csr -a ! -f $SERVER.crt ]; then

	# There's no way to pass subjAltName on the CLI so

	# create a cnf file and use that.

	CNF=`mktemp /tmp/cacnf.XXXXXXXX` || { echo "$0: can't create temp file" >&2; exit 1; }

	sed -e 's/^.*%%% //' > $CNF <<\!ENDconfig

	%%% [ JPMextensions ]

	%%% basicConstraints        = critical,CA:false

	%%% nsCertType              = server

	%%% keyUsage                = nonRepudiation, digitalSignature, keyEncipherment

	%%% nsComment               = "Broker Certificate"

	%%% subjectKeyIdentifier    = hash

	%%% authorityKeyIdentifier  = keyid,issuer:always

	%%% subjectAltName          = $ENV::SUBJALTNAME

	%%% # issuerAltName           = issuer:copy

	%%% nsCaRevocationUrl       = http://mqttitude.org/carev/

	%%% nsRevocationUrl         = http://mqttitude.org/carev/

!ENDconfig

	SUBJALTNAME="$(addresslist)"

	export SUBJALTNAME		# Use environment. Because I can. ;-)

	echo "--- Creating and signing server certificate"

	$openssl x509 -req \

		-in $SERVER.csr \

		-CA $CACERT.crt \

		-CAkey $CACERT.key \

		-CAcreateserial \

		-CAserial "${DIR}/ca.srl" \

		-out $SERVER.crt \

		-days $days \

		-extfile ${CNF} \

		-extensions JPMextensions

	rm -f $CNF

	chmod 444 $SERVER.crt

fi

实际过程中大家可根据自己的需要修改这段脚本的内容,为了快速搭建我们的单向SSL, 我们这里不做任何修改,直接执行这段shell

执行完成后可生成  server.crt  server.csr  server.ke ca.crt  ca.key  ca.srl

2.配置mosquitto 配置文件

 

ca.crt,  sever.crt, server.key 是第一步中生成的文件

启动 broker

启动 subscribe 端, 这里需要注意,如果sbuscreibe 端和broker 不在同一台机器,请将第一步生成的ca.crt 拷贝到 该机器

启动 publish 端,  如果publish 端和broker 不在同一台机器,请将第一步生成的ca.crt 拷贝到 该机器

配置完成,可以发送,接收消息了

Mosquitto 单向SSL配置的更多相关文章

  1. mosquitto --- 单向认证

    1.生成证书要单向配置SSL 需要 做三项前置工作 1. 生成CA证书 2.生成server 端证书,server 端key github 的一个开源项目已经做到这点 ,详情可见 https://gi ...

  2. SSL 通信原理及Tomcat SSL 配置

    SSL 通信原理及Tomcat SSL 双向配置 目录1 参考资料 .................................................................. ...

  3. Apollo单向SSL认证(1)

    参考链接:https://www.cnblogs.com/benwu/articles/4891758.html keytool -genkey -alias mybroker -keyalg RSA ...

  4. 百度CDN 网站SSL 配置

    百度CDN SSL配置步骤 一般从SSL提供商购买到的证书是CRT二进制格式的. 1. 将 CRT 导入到IIS中, 然后从IIS中导出为PFX格式 2. 下载openssl,执行下面命令 提取用户证 ...

  5. Nginx SSL配置过程

    1. 在godaddy购买了UCC SSL(最多5个域名)的SSL证书 2. 设置证书 -- 管理 -- 3. 需要制作证书申请CSR文件(在线工具制作或者openssl命令制作),保存CSR和key ...

  6. ssl配置

    Apache SSL配置 作者: JeremyWei | 可以转载, 但必须以超链接形式标明文章原始出处和作者信息及版权声明网址: http://weizhifeng.net/apache-ssl.h ...

  7. nginx反向代理cas server之1:多个cas server负载均衡配置以及ssl配置

    系统环境采用centOS7 由于cas server不支持session持久化方式的共享,所以请用其他方式代替,例如:组播复制. 为什么不支持session持久化:http://blog.csdn.n ...

  8. centos7邮件服务器SSL配置

    在上篇文章centos7搭建postfix邮件服务器的搭建中我们没有配置SSL,接下来我们在这篇文章中讲讲centos7邮件服务器SSL配置. 1. 创建SSL证书 [root@www ~]# cd ...

  9. Sahi (2) —— https/SSL配置(102 Tutorial)

    Sahi (2) -- https/SSL配置(102 Tutorial) jvm版本: 1.8.0_65 sahi版本: Sahi Pro 6.1.0 参考来源: Sahi官网 Sahi Quick ...

随机推荐

  1. 关于不同应用程序存储IO类型的描述

    介绍 存储系统作为数据的载体,为前端的服务器和应用程序提供读写服务.存储阵列某种意义上来说,是对应用服务器提供数据服务的后端“服务器”.应用服务器对存 储系统发送数据的“读”和“写”的请求.然而,不同 ...

  2. postman md5加密例子

    引用方法 {{md5}} 参考:https://www.jianshu.com/p/5a49d1deaf69 实例:

  3. HTTP Get与Post请求

    HTTP定义了与服务器交互的不同方法,最基本的方法有4种,分别是GET,POST,PUT,DELETE.URL全称是资源描述符,我们可以这样认为:一个URL地址,它用于描述一个网络上的资源,而HTTP ...

  4. maven环境的搭建,lemon-OA办公系统的搭建

    当时要搭建activiti工作流,但是这个工作流是基于maven启动的,于是,学习了一下,maven环境的搭建 准备的环境: Jdk  1.6 Eclipse IDE 一个或者 MyEclipse M ...

  5. Julia - 字符串

    字符 字符使用单引号括起来,字符是 32 位整数 julia> 'a' 'a': ASCII/Unicode U+0061 (category Ll: Letter, lowercase) ju ...

  6. 面试宝典:Java面试中最高频的那20%知识点!

    Java目前已经不仅仅是一门开发语言,而是一整套生态体系. 作为一个Java程序员,既是幸运的,也是不幸的.幸运的是我们有很多轮子可以拿过来用,不幸的是我们有太多的轮子需要学习. 但是,无论是日常工作 ...

  7. C#内存流示例----->用内存流来读取图片

    背景:一个窗体.一个pictureBox.一个lable[没有选择图片,lable的text为"图片未选择"],在pictureBox1的Click事件中添加如下代码: priva ...

  8. mongodb 安装、windows服务、创建用户

    http://www.cnblogs.com/best/p/6212807.html 打开MongoDB的安装目录如“C:\Program Files\MongoDB\Server\3.4\bin”, ...

  9. XNA数学库

    XNA Math Vectors 在direct3D 9 和10中,包含3D数学库的D3DX库支持向量和其他核心类型的计算.在direct11中,D3DX库不在包含3D数学库,取而代之的是XNA数学库 ...

  10. sql中经度维度计算距离

    ------------------------------------------创建一个方法---------------------------------------------------- ...