Mosquitto 单向SSL配置

摘自:https://blog.csdn.net/a_bcd_123/article/details/70167833

2017年04月14日 06:56:06 strongjack 阅读数:694
 
 版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/a_bcd_123/article/details/70167833

1.生成证书

要单向配置SSL 需要 做三项前置工作

1. 生成CA证书

2.生成server 端证书,server 端key

github 的一个开源项目已经做到这点 ,详情可见 https://github.com/iandl/mqttitude/blob/master/tools/TLS/generate-CA.sh

为方便阅读,整个shell 代码先贴出来

#!/bin/sh

#(@)generate-CA.sh - Create CA key-pair and server key-pair signed by CA

# Copyright (c) 2013 Jan-Piet Mens <jpmens()gmail.com>

# All rights reserved.

#

# Redistribution and use in source and binary forms, with or without

# modification, are permitted provided that the following conditions are met:

#

# 1. Redistributions of source code must retain the above copyright notice,

#    this list of conditions and the following disclaimer.

# 2. Redistributions in binary form must reproduce the above copyright

#    notice, this list of conditions and the following disclaimer in the

#    documentation and/or other materials provided with the distribution.

# 3. Neither the name of mosquitto nor the names of its

#    contributors may be used to endorse or promote products derived from

#    this software without specific prior written permission.

#

# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"

# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE

# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

# POSSIBILITY OF SUCH DAMAGE.

set -e

DIR=${TARGET:='.'}

# A space-separated list of alternate hostnames (subjAltName)

# may be empty ""

ALTHOSTNAMES="broker.example.com foo.example.de"

CA_ORG='/O=MQTTitude.org/emailAddress=nobody@example.net'

CA_DN="/CN=An MQTT broker${CA_ORG}"

CACERT=${DIR}/ca

SERVER=${DIR}/server

SERVER_DN="/CN=$(hostname -f)$CA_ORG"

keybits=2048

openssl=$(which openssl)

function maxdays() {

	nowyear=$(date +%Y)

	years=$(expr 2032 - $nowyear)

	days=$(expr $years '*' 365)

	echo $days

}

function getipaddresses() {

	/sbin/ifconfig |

		sed -En '/inet6? /p' |

		sed -Ee 's/inet6? (addr:)?//' |

		awk '{print $1;}' |

		sed -e 's/[%/].*//' |

		egrep -v '(::1|127\.0\.0\.1)'	# omit loopback to add it later

}

function addresslist() {

	ALIST=""

	for a in $(getipaddresses); do

		ALIST="${ALIST}IP:$a,"

	done

	ALIST="${ALIST}IP:127.0.0.1,IP:::1,"

	for h in $(echo ${ALTHOSTNAMES}); do

		ALIST="${ALIST}DNS:$h,"

	done

	ALIST="${ALIST}DNS:localhost"

	echo $ALIST

}

days=$(maxdays)

if [ -n "$CAKILLFILES" ]; then

	rm -f $CACERT.??? $SERVER.??? $CACERT.srl

fi

if [ ! -f $CACERT.crt ]; then

	# Create un-encrypted (!) key

	$openssl req -newkey rsa:${keybits} -x509 -nodes -days $days -extensions v3_ca -keyout $CACERT.key -out $CACERT.crt -subj "${CA_DN}"

	echo "Created CA certificate in $CACERT.crt"

	$openssl x509 -in $CACERT.crt -nameopt multiline -subject -noout

	chmod 400 $CACERT.key

	chmod 444 $CACERT.crt

fi

if [ ! -f $SERVER.key ]; then

	echo "--- Creating server key and signing request"

	$openssl genrsa -out $SERVER.key $keybits

	$openssl req -new \

		-out $SERVER.csr \

		-key $SERVER.key \

		-subj "${SERVER_DN}"

	chmod 400 $SERVER.key

fi

if [ -f $SERVER.csr -a ! -f $SERVER.crt ]; then

	# There's no way to pass subjAltName on the CLI so

	# create a cnf file and use that.

	CNF=`mktemp /tmp/cacnf.XXXXXXXX` || { echo "$0: can't create temp file" >&2; exit 1; }

	sed -e 's/^.*%%% //' > $CNF <<\!ENDconfig

	%%% [ JPMextensions ]

	%%% basicConstraints        = critical,CA:false

	%%% nsCertType              = server

	%%% keyUsage                = nonRepudiation, digitalSignature, keyEncipherment

	%%% nsComment               = "Broker Certificate"

	%%% subjectKeyIdentifier    = hash

	%%% authorityKeyIdentifier  = keyid,issuer:always

	%%% subjectAltName          = $ENV::SUBJALTNAME

	%%% # issuerAltName           = issuer:copy

	%%% nsCaRevocationUrl       = http://mqttitude.org/carev/

	%%% nsRevocationUrl         = http://mqttitude.org/carev/

!ENDconfig

	SUBJALTNAME="$(addresslist)"

	export SUBJALTNAME		# Use environment. Because I can. ;-)

	echo "--- Creating and signing server certificate"

	$openssl x509 -req \

		-in $SERVER.csr \

		-CA $CACERT.crt \

		-CAkey $CACERT.key \

		-CAcreateserial \

		-CAserial "${DIR}/ca.srl" \

		-out $SERVER.crt \

		-days $days \

		-extfile ${CNF} \

		-extensions JPMextensions

	rm -f $CNF

	chmod 444 $SERVER.crt

fi

实际过程中大家可根据自己的需要修改这段脚本的内容,为了快速搭建我们的单向SSL, 我们这里不做任何修改,直接执行这段shell

执行完成后可生成  server.crt  server.csr  server.ke ca.crt  ca.key  ca.srl

2.配置mosquitto 配置文件

 

ca.crt,  sever.crt, server.key 是第一步中生成的文件

启动 broker

启动 subscribe 端, 这里需要注意,如果sbuscreibe 端和broker 不在同一台机器,请将第一步生成的ca.crt 拷贝到 该机器

启动 publish 端,  如果publish 端和broker 不在同一台机器,请将第一步生成的ca.crt 拷贝到 该机器

配置完成,可以发送,接收消息了

Mosquitto 单向SSL配置的更多相关文章

  1. mosquitto --- 单向认证

    1.生成证书要单向配置SSL 需要 做三项前置工作 1. 生成CA证书 2.生成server 端证书,server 端key github 的一个开源项目已经做到这点 ,详情可见 https://gi ...

  2. SSL 通信原理及Tomcat SSL 配置

    SSL 通信原理及Tomcat SSL 双向配置 目录1 参考资料 .................................................................. ...

  3. Apollo单向SSL认证(1)

    参考链接:https://www.cnblogs.com/benwu/articles/4891758.html keytool -genkey -alias mybroker -keyalg RSA ...

  4. 百度CDN 网站SSL 配置

    百度CDN SSL配置步骤 一般从SSL提供商购买到的证书是CRT二进制格式的. 1. 将 CRT 导入到IIS中, 然后从IIS中导出为PFX格式 2. 下载openssl,执行下面命令 提取用户证 ...

  5. Nginx SSL配置过程

    1. 在godaddy购买了UCC SSL(最多5个域名)的SSL证书 2. 设置证书 -- 管理 -- 3. 需要制作证书申请CSR文件(在线工具制作或者openssl命令制作),保存CSR和key ...

  6. ssl配置

    Apache SSL配置 作者: JeremyWei | 可以转载, 但必须以超链接形式标明文章原始出处和作者信息及版权声明网址: http://weizhifeng.net/apache-ssl.h ...

  7. nginx反向代理cas server之1:多个cas server负载均衡配置以及ssl配置

    系统环境采用centOS7 由于cas server不支持session持久化方式的共享,所以请用其他方式代替,例如:组播复制. 为什么不支持session持久化:http://blog.csdn.n ...

  8. centos7邮件服务器SSL配置

    在上篇文章centos7搭建postfix邮件服务器的搭建中我们没有配置SSL,接下来我们在这篇文章中讲讲centos7邮件服务器SSL配置. 1. 创建SSL证书 [root@www ~]# cd ...

  9. Sahi (2) —— https/SSL配置(102 Tutorial)

    Sahi (2) -- https/SSL配置(102 Tutorial) jvm版本: 1.8.0_65 sahi版本: Sahi Pro 6.1.0 参考来源: Sahi官网 Sahi Quick ...

随机推荐

  1. C语言(C99标准)在结构体的初始化上与C++的区别

    C++中由于有构造函数的概念,所以很多时候初始化工作能够很方便地进行,而且由于C++标准库中有很多实用类(往往是类模板),现代C++能十分容易地编写. 比如现在要构造一个类Object,包含两个字段, ...

  2. FC Switch sfpshow

    sfpshow - fault-finding on Brocade Fibre Channel Switches So you've hit a situation where a Fibre Ch ...

  3. Linnx 服务器中mysql 无法正常访问问题

    本机连接远程Linnx服务器不通 1. 检测防火墙 -- 保证防火墙关闭 查看到iptables服务的当前状态:service iptables status. 但是即使服务运行了,防火墙也不一定起作 ...

  4. struts2学习(13)struts2文件上传和下载(1)

    一.Struts2文件上传: 二.配置文件的大小以及允许上传的文件类型: 三.大文件上传: 如果不配置上传文件的大小,struts2默认允许上传文件最大为2M: 2097152Byte:   例子实现 ...

  5. java代码---------打印正三角形

    总结:手打一遍 public class aaa{ public static void main(String []args){ for(int i=1;i<10;i++){ for(int ...

  6. Log4j.xml配置(rolling示例)

    Log4j.xml配置(很详细) <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE log4 ...

  7. 准确计算Java中对象的大小

    由于在项目中需要大致计算一下对象的内存占用率(Hadoop中的Reduce端内存占用居高不下却又无法解释),因此深入学习了一下如何准确计算对象的大小. 使用system.gc()和java.lang. ...

  8. linux中sed命令

    sed sed意为流编辑器(Stream Editor),在Shell脚本和Makefile中作为过滤器使用非常普遍,也就是把前一个程序的输出引入sed的输入,经过一系列编辑命令转换为另一种格式输出. ...

  9. 检测客户端系统-PHP

    if(isset($_SERVER['HTTP_USER_AGENT'])) { $userAgent = strtolower($_SERVER['HTTP_USER_AGENT']); $clie ...

  10. .net Reactor之限定日期内使用,限定使用次数,限定使用时间

    .net Reactor之限定日期内使用,限定使用次数,限定使用时间 上一篇(https://www.cnblogs.com/s313139232/p/9908833.html)详细的记录了.net ...