Require TLS traffic - howto / bug

Question

Require TLS traffic - howto / bug

Laro88 opened this issue 6 months ago · 3 comments

I am trying to force mosquitto 2.0.18 to work with TLS using a self signed certificate, and I was hoping to find a require_tls somewhere as the certificate configuration is omitted.

I am staring mosquitto from shell using -v -c mosquitto.conf and connecting using MQTT explorer 0.4.0 beta 6 & MQTT.fx (old one) 1.7.1

The certfile, keyfile and cafile is generated using

openssl genrsa -des3 -out c:\cert\ca.key 2048
openssl req -new -x509 -days 365 -key c:\cert\ca.key -out c:\cert\ca.crt
openssl genrsa -out c:\cert\server.key 2048
openssl req -new -out c:\cert\server.csr -key c:\cert\server.key
openssl x509 -req -in c:\cert\server.csr -CA c:\cert\ca.crt -CAkey c:\cert\ca.key -CAcreateserial -out c:\cert\server.crt -days 365

Presently I use the following configuration:

#retain_available false
#max_qos 0

tls_version tlsv1.2

listener 8883
protocol mqtt
socket_domain ipv4

listener 9001
socket_domain ipv4
protocol websockets

#enable to utilize TLS
certfile c:\cert\server.crt
keyfile c:\cert\server.key
cafile c:\cert\ca.crt

log_type all

connection_messages true
log_timestamp true

password_file mosquitto.passwd

It seems like mosquitto is permitting non secure connections, and ignores the desired tls requirements.
What might I be missing? Hope mosquitto fall back non-secure settings silently?

Answer 1 · 2024-08-20T14:27:50.000Z

I think you might need to put the cert config lines under each listener.

Answer 2 · 2024-08-21T06:46:16.000Z

Thanks @Daedaluz

Posting the running mosquitto with TLS on everything:

#mosquitto 2.0.18 clean winbox and docker on winbox 10,11,WS2022
#utilize c:\cert\ style certification paths on clean mosquitto @ winbox

tls_version tlsv1.2
log_type all

listener 1883
socket_domain ipv4
certfile /mosquitto/config/certs/server.crt
keyfile /mosquitto/config/certs/server.key
cafile /mosquitto/config/certs/ca.crt

listener 8883
protocol mqtt
socket_domain ipv4
#enable to utilize TLS
certfile /mosquitto/config/certs/server.crt
keyfile /mosquitto/config/certs/server.key
cafile /mosquitto/config/certs/ca.crt

listener 9001
socket_domain ipv4
protocol websockets
certfile /mosquitto/config/certs/server.crt
keyfile /mosquitto/config/certs/server.key
cafile /mosquitto/config/certs/ca.crt

connection_messages true
log_timestamp true

password_file /mosquitto/config/mosquitto_passwd

retain_available false
max_qos 0

Answer 3 · 2024-08-23T08:36:55.000Z

Close if nothing else :)