#Moquette Broker Utilizing SSL/TLS
To run a generic unmolested version of the Moquette MQTT Broker download the Moquette distribution tar, untar the archive and run the script 'sh moquette.sh' from /bin. This starts an un-encrypted local broker listening on port 1883. Better yet check out the master branch and clone Andrea's repo. This purpose of this repo is to display and share a working secured MQTT broker with encrypted coms. Feel free to clone the repo and run the broker from source or embedd in your Maven project following the directions below...
Docmentation
Configuration
Within /config resides the moquette.conf file where we point moquette to...
- Keystore location and credentials (utilizing JKS by default)
- SSL port (standard seems to be 8883)
- Authentication by username/pwrd is configured via config/password_file.conf
- File should only contain user:sha256hash(password)
- Yes that hash below, and all passwords for that matter in the repo are password you'll need that to export the servers cert for your client and for connecting to the secure broker.
username:5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8
- Other configurations are possible within in /config like acl lists or setting the servers ip but for quick local SSL/TLS the above is all we need.
Usage
Starting and connecting to the broker...
- cd to /bin and sh moquette.sh
- If Moquette starts up and you receive simmilar messages to the below on startup SSL on the Broker is configured!
430 [main] INFO DefaultMoquetteSslContextCreator - Starting SSL using keystore at serverkeystore.jks
431 [main] INFO DefaultMoquetteSslContextCreator - jks not found in bundled resources, try on the filesystem
431 [main] INFO DefaultMoquetteSslContextCreator - Using /Task 1/moquette/bin/serverkeystore.jks
587 [main] INFO NettyAcceptor - Starting SSL on port 8883
588 [main] INFO NettyAcceptor - Server binded host: 0.0.0.0, port: 8883
Upon connecting from the client...
13024 [nioEventLoopGroup-3-1] INFO ProtocolProcessor - Connected client ID <Brian_164047597> with clean session true
13025 [nioEventLoopGroup-3-1] INFO ProtocolProcessor - CONNECT processed
And your first secure publish!
32554 [nioEventLoopGroup-3-1] INFO ProtocolProcessor - PUBLISH from clientID <Brian_164047597> on topic </ssl-test/> with QoS MOST_ONE
You can verify via tcpdump utility...
Not encrypted...
bash-3.2$ tcpdump -nnvvXS -i lo0 port 1883
tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes
17:30:16.846705 IP (tos 0x0, ttl 64, id 64500, offset 0, flags [DF], proto TCP (6), length 80, bad cksum 0 (->40b1)!)
127.0.0.1.54398 > 127.0.0.1.1883: Flags [P.], cksum 0xfe44 (incorrect -> 0x0b34), seq 2668293500:2668293528, ack 2050520663, win 12759, options [nop,nop,TS val 1058276277 ecr 1058251532], length 28
0x0000: 4500 0050 fbf4 4000 4006 0000 7f00 0001 E..P..@.@.......
0x0010: 7f00 0001 d47e 075b 9f0a ed7c 7a38 7657 .....~.[...|z8vW
0x0020: 8018 31d7 fe44 0000 0101 080a 3f14 03b5 ..1..D......?...
0x0030: 3f13 a30c 301a 000a 2f73 736c 2d74 6573 ?...0.../ssl-tes
0x0040: 742f 7365 6372 6574 6d65 7373 6167 650a t/secretmessage.
VS encrypted
bash-3.2$ tcpdump -nnvvXS -i lo0 port 8883
tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes
17:29:47.686391 IP (tos 0x0, ttl 64, id 61110, offset 0, flags [DF], proto TCP (6), length 153, bad cksum 0 (->4da6)!)
127.0.0.1.57728 > 127.0.0.1.8883: Flags [P.], cksum 0xfe8d (incorrect -> 0xcf39), seq 4289169368:4289169469, ack 1190151484, win 12698, options [nop,nop,TS val 1058247194 ecr 1058228219], length 101
0x0000: 4500 0099 eeb6 4000 4006 0000 7f00 0001 E.....@.@.......
0x0010: 7f00 0001 e180 22b3 ffa7 87d8 46f0 453c ......".....F.E<
0x0020: 8018 319a fe8d 0000 0101 080a 3f13 921a ..1.........?...
0x0030: 3f13 47fb 1703 0300 60fa 96d3 0a9d eb8c ?.G.....`.......
0x0040: 346c 5364 c12e 37a6 10c6 6c44 2866 3053 4lSd..7...lD(f0S
0x0050: add4 1eb9 df87 8eb2 a547 63ff fcd3 5d33 .........Gc...]3
0x0060: cff6 e33c ec06 0822 e445 7e2d ed87 455f ...<...".E~-..E_
0x0070: ab88 394f 0e51 2b09 a24e 5e6d dd37 718e ..9O.Q+..N^m.7q.
0x0080: 294d 62a1 31ab f045 ec41 0cc8 c840 7305 )Mb.1..E.A...@s.
0x0090: 45d9 c376 6ccb 8d2a 7b E..vl..*{
Embedding Moquette and starting the server in Eclipse...
- You can embed Moquette in your project by declearing the dependancies in Maven
- Or to edit and start from source clone the repo, open embedding_moquette, and compile and run the project from EmbeddedLauncher.java
All you really need to start...
final IConfig classPathConfig = new ClasspathConfig(); //grab a new config object
final Server mqttBroker = new Server(); //and a new broker
mqttBroker.startServer(classPathConfig); //start broker using settings
//from moquette.conf
- To connect to the broker from an Android Virtual Device be sure to utilize 10.0.0.2 as this is the address Android Studio binds to your dev machine's local host. More details on connecting clients, MQTT pub/sub, and org.eclipse.paho.android.service here.