0. 前言
EMQ是帶有SSL功能的,需要進行簡單的配置,才能使用。下面就簡單說一下如何實現自簽證書。
1. 利用OpenSSL簽發證書
1 ➜ cat createCA.sh 2 #/bin/sh 3 # 生成自簽名的CA key和證書 4 openssl genrsa -out ca.key 2048 5 openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -subj "/CN=www.wunaozai.com" -out ca.pem 6 7 # 生成服務器端的key和證書 8 openssl genrsa -out server.key 2048 9 openssl req -new -key ./server.key -out server.csr -subj "/CN=0.0.0.0" 10 openssl x509 -req -in ./server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem -days 3650 -sha256 11 12 # 生成客戶端key和證書 13 openssl genrsa -out client.key 2048 14 openssl req -new -key ./client.key -out client.csr -subj "/CN=0.0.0.0" 15 openssl x509 -req -in ./client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.pem -days 3650 -sha256 16 17 # 最后生成如下文件 18 ➜ ls 19 ca.key ca.pem ca.srl client.csr client.key client.pem createCA.sh server.csr server.key server.pem
2. 配置到EMQX的emqx.conf
如果啟用單向認證的話,客戶端不需要證書都可以連接。這里的listener.ssl.external.fail_if_no_peer_cert = true 注釋掉就啟用單向認證。
啟用雙向認證。那么客戶端就必須導入CA和client的證書才可以連接。
1 listener.ssl.external = 8883 2 listener.ssl.external.acceptors = 16 3 listener.ssl.external.max_connections = 102400 4 listener.ssl.external.max_conn_rate = 500 5 listener.ssl.external.active_n = 100 6 listener.ssl.external.zone = external 7 listener.ssl.external.access.1 = allow all 8 listener.ssl.external.handshake_timeout = 15s 9 listener.ssl.external.keyfile = ../certs/server.key 10 listener.ssl.external.certfile = ../certs/server.pem 11 listener.ssl.external.cacertfile = ../certs/ca.pem 12 listener.ssl.external.verify = verify_peer 13 listener.ssl.external.fail_if_no_peer_cert = true 14 listener.ssl.external.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHAAES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AAES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES1128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA 15 listener.ssl.external.reuseaddr = true
重新啟動EMQX
1 ./bin/emqx stop 2 ./bin/emqx start
3. 工具測試
可以用MQTT.fx工具測試。我這里使用EMQ官方出品的MQTTX工具。
采用自簽證書,可以簽發多個client客戶端的證書。可以做到一機一證。這樣做的成本非常高,本身SSL加密對通信要求就高,如果還要管理那么多證書,就有點麻煩了。所以目前我采用的方式是,平台支持MQTTs通信,可以單向認證。只保證通訊安全。至於設備認證,就不通過證書認證,而是傳統的設備ID與設備密碼來認證。簡單一點。平台改動也不大。
參考資料:
https://docs.emqx.io/cn/sdk_tools?category=MQTT_Tools
https://www.emqx.io/cn/downloads#broker
https://docs.emqx.io/broker/latest/cn/config.html?highlight=ssl#mqtt-ssl-8883
https://segmentfault.com/a/1190000020058373#item-2
https://blog.csdn.net/u011089760/article/details/89951214
本文地址:https://www.cnblogs.com/wunaozai/p/12367497.html
本系列目錄: https://www.cnblogs.com/wunaozai/p/8067577.html
個人主頁:https://www.wunaozai.com/
