Configure Mosquitto Bridge With SSL Encryption

It is very likely that a bridged connection between two brokers will be encrypted.

The Mosquitto broker (server) provides two methods of using SSL encryption on a bridged connection

  • Certificate encryption
  • PSK encryption

In this tutorial we will be configuring a secure bridged connection using both methods.

If you are new to certificates then you should read this tutorial on SSL encryption and certificates before continuing.



Broker Setup Overview

in this tutorial we will bridge topics on broker 1 to broker 2.

mosquitto-mqtt-ssl-bridge

Broker 1 will be configured as bridge and is effectively an SSL client.

broker 2 will operate as a normal broker, and will not require any configuration for bridging. It will act as an SSL server.

Generally locally connected clients will use the standard port 1883 and not use encryption as shown in the diagram below:

mosquitto-bridge-diagram-ssl

SSL Encryption Using Certificates

Broker 2 needs to be configured as an SSL server and require encryption. I’ve chosen to use port 8883.

Notice the configuration is for an extra listener, and not for a bridge.

Here is the relevant part of the config file on broker 2 showing the SSL settings.

broker2-config-file-ssl

Now broker1 needs to be configured as a bridge.

The setup is almost identical to a normal bridge connection except we need to add a line for the CA file and also change from using an IP address (192.168.1.184) to a name (ws4).

This is because my server key on broker 2 was generated with the name ws4. See the Mosquitto ssl tutorial for details.

Here is the bridging part of the config file:

broker1-config-file-ssl

Note: No server key is needed on broker 1 as it is functioning as an SSL client.

Testing

The easiest way of testing is to create an error which you can easily do by commenting out the encryption setting on broker 1

You should get an SSL error on broker 1

PSK Encryption Overview

The mosquitto broker supports PSK encryption which can be used instead of certificate based encryption.

In cryptography, a pre-shared key (PSK) is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used. –Wiki

This is the same type of encryption used on Wi-fi Networks.

The key used in Mosquitto is restricted to hexi decimal numbers i.e 0-9,A,B,C,D,E,F

You can generate the key using online key generators, random number generators or just make one up.

For testing purposes it is easier to make one up.

For real world deployments a security policy would need to be created and used.

Note: PSK encryption uses SSL just like certificate based encryption.

PSK encryption isn’t supported on the Paho Python client, and so cannot be used to encrypt a client broker connection.

Configuring PSK on a Mosquitto Bridge Connection

Using the same setup as before. Broker1 is configured as a bridge and broker2 is a normal broker.

There are two settings that you need to add to broker2

  • psk_hint
  • psk_file

The psk_hint option is very important as this is what tells the broker to use PSK.

The actual value that you enter doesn’t appear important for mosquitto but may be in other PSK implementations.

There can only be one psk_file entry.

Below is sample configuration file:

PSK-config-mosquitto-broker

The contents of the PSK file are shown below:
broker2-config-psk-file

Note the above file is for two PSK connections our current connection will use bridge1.

Broker1 is the bridge and here is the configuration:

bridge-broker-ssl-confThe important entries are the bridge identity bridge1 which matches the bridge identity in the PSK file on broker2.

The bridge_psk value matches the one in the PSK file on broker2.

Multiple Bridge Connection Examples

We will now examine two configuration scenarios. We will use PSK for SSL but the same applies if using certificates.

The diagram below depicts two bridge connections. This would be typical central broker with branch offices configuration

configure-multiple-bridged -connections

Broker2 needs no configuration changes to support multiple bridged connections for both certificate based and PSK.

However it may need additional entries in the PSK file. The psk file shown previously is already configured for two connections.

The configuration on broker 1 (bridge 1) is that shown previously and needs no changes

The configuration file for B3 (bridge2) is shown below:

bridge2-conf

Multiple Bridged Connection -Example2

This time we will configure the bridge to have multiple bridged connections. This would be a branch office to central broker with redundancy and is depicted in the diagram below:

Multiple-Bridged-Connections-Example

Broker 1 Configuration

We would usually use the same port for each bridge so we only need a single listener.

Each bridge connection starts with the connection name.

Below we see two connections called bridge-01 and bridge-02.

Here is the configuration file

bridge-conf-multiple-mosquitto

The configuration files for brokers 2 and 3 would look similar to the one below.

PSK-config-mosquitto-broker

Testing The Connections

When you connect the bridge there is actually no indication that a secure connection is being used provided that the configuration is OK.

However you will get an indication if you have a configuration problem.

The screen shot below show the connection problem that I caused by using a mismatched key for connection bridge-02.

bad-bridge-conf-example

Questions and Answers

Q- What is the PSK Hint?

A- See this stackoverflow response

Q- Is PSK less secure than using a certificate?

A- Probably yes but opinions seem to vary- see here. PSK is however much easier to implement than certificates.

References:

Related Tutorials

Facebooktwittergoogle_plusredditpinterestlinkedinmail

5 comments

  1. For a bridge connection using SSL I added a bridge.conf file using capath. I have Let’s Encypt as a CA.
    connection bridge-01
    address myhost.com:8883
    bridge_capath /etc/ssl/certs/
    remote_username mqttu
    remote_password mqttpw
    topic home/# out 0

  2. Hi, you have great tutorials for Mosquitto. Your tutorials have help me to configure my brokers in the right way. Thank you so much.

    I have a problem with this tutorial, I already make a connection between two mosquitto brokers without encryption and it works well. I had some troubles making one of the brokers to use encryption but I finally get it to work using your tutorial. I can connect to that broker with a client using the ca.crt file and it works well. But I can’t make a bridge between my two brokers using the ca.crt file.

    The log is showing an error every time it tries to connect:
    OpenSSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number.

    Is there a problem whith my tls version from the config file? Is there a problem if one of my brokers is local and the other one has a domain?

    Hope you can help me out.

    Thanks.

    1. Looks like a problem with the .conf file. Can you send me the .conf file for the client side of the bridge or both if you are not sure.
      Use the ask-steve page on the site to send it

  3. Hi,

    First of all, well done for this tutorial.

    I tried the SSL configuration on my main broker and it works well.
    I can publish with mosquitto_pub from the same PC or from another one on the same network.

    Unfortunately, when I want to launch a bridge from the other PC I have this problem:
    “ssl handshake failure” (on the main broker)

    I’m using the same PC and the same ca.crt as with the mosquitto_pub so I don’t understand how the handshake could fail.

    Did you encounteredthis problem before?

    1. Hi
      I would suspect the configuration on the new broker. The second broker is acting like a client for the first broker so it is set up similar to a client as regards ssl.
      If you still have probs send me a copy of the config file on each broker and I’ll take a look.(steve@steves-internet-guide.com)

Leave a Reply

Your email address will not be published. Required fields are marked *