Secure client server communication over TLS security protocol using Mosquitto Broker: IOT Part 42

Transport Layer Security (TLS) is a security protocol that uses symmetric cryptography to secure data. In this tutorial, Client-Server communication will be setup using TLS Protocol so that data can be securely exchanged between them. The Mosquitto broker is used to provide TLS security. The Mosquitto broker uses 8883 port as an encrypted transmission port to securely exchange the data between clients.

To learn more about IoT standards and protocols, check out the following tutorial –

Learn more about transport layer protocols from the following tutorial –

• Platform- Linux

• Mosquitto broker Installed

• MQTT-spy client or Linux Terminal.

The TLS protocol provides the following features –

1) Encryption of Data – The data is encrypted end to end so that other than two parties who are exchanging the information, no one can understand the data.

2) Integrity of Data – The encrypted data cannot be manipulated by anyone.

3) Authentication – One party can send the data to other party only when it will have the authenticity to send the data to that party.

In TLS security, Client or Broker uses public key to encrypt the messages, private key to decrypt the messages and certificate to sign the message. To enable TLS security, a client requires the following –

1) CA (certificate authority) certified client certificate

2) Client private key for decryption

3) CA certificate that has signed the server certificate.

To enable TLS security, the server requires the following –

1) CA certified server certificate

2) Server private key for decryption

3) CA certificate that has signed the client certificate.

The openssl is used to create own certificate authority (CA), client keys, server keys and certificates. The openssl can be installed by the following commands –

Next, create a folder (any name) in the home directory and move into that directory by terminal. Now follow the below steps to generate the keys and certificates.

1) Create the CA public and private key pair by running the following command in the terminal –

In the above command –

genrsa: Generates a RSA private key

-des3: Let using DES3 cipher for the key generation (password)

size_of_private_key_in_bits is 2048

-out: specifies the file name for the key (.key)

This command will generate a CA private key file. It will prompt for writing the user defined password. This password will be further used when the CA certificate will be signed with this private key.

2) Create a CA certificate using the CA key by running the following command –

In the above command,

req: is Request for certificate

-new: generates new certificate and will prompt user for several input fields.

-x509: creates a self-signed certificate.

-days: specifies the number of days the certificate is valid.

-key: is key file with private key to be used for signing

-out: specifies the file name for the certificate (.crt)

3) Now create the server key pair by running the following command –

opensslgenrsa -out mosquitto_server.keysize of private key in bits.

It is not protected with password here. In the above command,

genrsa: generates a RSA private key

-out: specifies the file name for the key (.key)

size_of_private_key_in_bits is 2048

4) Now create a certificate request for server using the server private key by running the following command –

In the above command –

req: is Request for certificate

-new: generates new certificate and will prompt user for several input fields.

-key: is key file with private key to be used for signing

-out: specifies the file name for the certificate (.csr)

5) Next, use the CA certificate to sign the broker certificate request by running the following command –

In the above command,

x509: creates a self-signed certificate.

-req: is Request for certificate

-in: is input file for the certificate

-CA: specifies the file to be signed

-CAkey: is CA private key to sign the certificate with

-CAcreateserial: is the serial number file that gets created if it does not exist

-out: specifies the file name for the certificate (.crt)

-days: specifies the number of days the certificate is valid.

6) For client, the same procedure is followed to generate the client private key, client certificate request and then sign the certificate request by CA certificate.

The client key pair is generated by the following command –

The Client certificate request is made by running the following command –

opensslreq -new -out mosquitto_client.csr -key mosquitto_client.key

The CA certificate to sign the client certificate is generated by running the following command –

Now there are total 9 files created named as follow –

– CA.key : CA key file (public and private)

– CA.crt : CA certificate

– CA.srl : CA serial number file

– mosquitto_server.key : server key

– mosquitto_server.csr : server certificate request

– mosquitto_server.crt : server certificate

– mosquitto_client.key : client key

– mosquitto_client.csr : client certificate request

– mosquitto_client.crt : client certificate

Next, the authentication of clients need to be enabled as well. From that, clients will be connected to the MQTT server only when they know the username and password of MQTT server. Follow the below steps to enable authentication –

1) Create the server_password.txt file anywhere and inside this file, create username and password as following –

2) Then encrypt this file using the following command –

3) Next, install Mosquitto broker. As Linux is used, so to install the broker, first add the Mosquitto repository by running the following command and install the mosquito broker –

Next, install Mosquitto clients for the PC by  installing Mosquitto developer libraries and Mosquitto client package as follow –

The mqtt-spy can also be used along with the MQTT client. In order to use MQTT spy, skip the above steps. Now the broker is installed along with the  client and certificates as well.

Mosquitto by default is configured to run on port 1883. So, there is need of TLS port i.e. 8883.  The configuration of Mosquitto broker can be changed to listen on encrypted port. But before that, out of the 9 files generated, copy the following 3 files and paste into folder /etc/mosquitto/

• CA.crt- Paste this file in to /etc/mosquitto/ca_certificates. If this folder is not present then we can make a folder and then paste the file

• mosquitto_server.crt- Paste this file into /etc/mosquitto/certs.

• mosquitto_server.key- Paste this file into /etc/mosquitto/certs

Now copy the password file “server_password.txt” and paste it into /etc/mosquitto path. Now, there is the default configuration file. Change the file – mosquitto.conf as follow –

It can be seen that the Mosquitto broker is running on port 8883 with TLS security as follow –

It’s time to test the broker with the MQTT clients. To publish the data on Mosquitto broker, run the following command –

It can be seen that whatever is sent on the MQTT broker from publisher side, it is received on the subscriber side. This Client to Server communication is done in highly encrypted form.