0

I have simple MQTT Mosquitto server that I'm trying to make secure.

Mosquitto.conf:

log_type all
password_file /etc/mosquitto/mosquitto_users.txt
pid_file /var/run/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/

port 8883

cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/ca_certificates/server.key
certfile /etc/mosquitto/ca_certificates/server.crt
tls_version tlsv1

On current server I generated:

CA certificate

openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Server certificate:

openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key

Self sign server certificate:

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 720

All required files placed according to msoquitto.conf configuration.

I'm using following commands to subscribe and post messages by using ca.crt certificate.

mosquitto_sub -h 192.168.1.8 -t sensor --cafile ca.crt -p 8883 -d
mosquitto_pub -h 192.168.1.8 -t sensor --cafile ca.crt -m "test" -p 8883 -d

Everything works fine. But does it men communication is secured? Should I place server on Internet and nobody will grab information?

Improve this question

1 Answer 1

Reset to default
0

It's always a bit scary when it just works like this.

If you want to test it you might want to try getting it to fail. If someone tries to spoof your server they will not be able to do so with a certificate signed by your (self-signed) CA certificate. So you might want to see what happens if the CA certificate used by then client doesn't match the one used to sign the server certificate.

So to test if your client mosquitto_sub and mosquitto_pub are properly checking the certificate you could try generating a completely new "dummy" CA certificate. Don't install this on the server. But try to use it with your mosquitto_sub and mosquitto_pub commands:

mosquitto_sub -h 192.168.1.8 -t sensor --cafile dummy_ca.crt -p 8883 -d
mosquitto_pub -h 192.168.1.8 -t sensor --cafile dummy_ca.crt -m "test" -p 8883 -d

If your client is communicating securely with the server then this should fail. That's because your server's certificate would not be signed with the CA certificate expected by the client. If it works with the dummy certificate then you have a problem and you need to investigate why.

Public key encryption works using key pairs (a public and a private key). The private key is kept hidden and never shared with anyone. Anything encrypted with the public key can only be decrypted with the private key. Not even the public key can be used to decrypt something encrypted with the public key... and you cannot work out the private key from the public key.

So to talk across an encrypted channel, both devices (client and server) send their own public key to the other, keeping their own private key a secret. It doesn't matter if a hacker can get these because they cannot be used to decrypt anything. Then to talk, the client encrypts everything with the server's public key and the server encrypts everything with the client's public key. Only the server can decrypt the messages it receives because it is the only one with it's private key to decrypt them. Likewise the client is the only one that can decrypt messages sent to it.

Certificates are only used to ensure that a hacker cannot perform a "man in the middle attack" by pretending to be the server. A certificate contains three critical pieces of information:

  1. The name of the server (it's domain name)
  2. The server's public key
  3. A signature from the CA proving this certificate is genuine.

This way a hacker can not pretend to be your server because they must either:

  • Have access to the server's private key to decrypt everything you send. They can't get this because it's always kept secret by the server and never given out to anyone
  • Send you a certificate saying their own (fake) public key is the correct one for the server. They can't create a fake certificate because they can't get it signed by the CA
Improve this answer
2
  • I'm just thinking that client, which has only ca.crt file should not be able to encrypt traffic, because for this purpose encryption keys are needed Commented Dec 18, 2019 at 9:53
  • @vico You should read up on how public key encryption and certificates are used. The main thing to remember is never give out the private key to anyone. Beyond this, there are many resources on the internet explaining how it works. Commented Dec 18, 2019 at 11:09

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.