MQTT binding and TLS/SSL support

Hi!

My use-case is to connect an OH2 located in our summer house with my master OH2. I got it working over TCP with username/password protection on the Mosquitto server, but I would like to use TLS for improved security.

I’ve read several posts that the MQTT binding does not support TLS/SSL. Why does the binding documentation then indicate that it is possible to connect via ssl:// ?

Example configuration of a encrypted broker connection with authentication:
mqtt:mosquitto.url=ssl://test.mosquitto.org:8883```

Is it somehow possible to generate private certificates and put them somewhere on the slave OH2 so that the slave OH2 can connect to the Mosquitto server running in the master OH2 server using TLS/SSL?

BR,

/Janne

A good tutorial I’ve found is here:

http://owntracks.org/booklet/guide/broker/#raspi

It is targeted to owntracks but it should work also for your usecase (I guess)

Hi!

I know that it is possible to configure Mosquitto to use TLS, but in your case you access Mosquitto from a mobile device that you can configure with matching certificates.

In my case I use the MQTT binding in OH2 (or the 1.9 compatible version to be more precise) on my OH2 slave that uses the event bus binding configuration to publish all events to the broker running on my master OH2.

It is possible to configure the slave, via the mqtt.cfg, to connect via ssl as I wrote, but how do I configure the OH2 slave to use correct certificates?

BR,

/Janne

Ahh, okay, missed that point.
Sorry, I’m not that deep into mqtt, although I’m using it with certificates while connecting from mobile devices.

Only hint I can give you is:
http://owntracks.org/booklet/guide/bridge/

Hi!

Thanks for the hint!
I’ve now got TLS working with bridged Mosquitto brokers when running both master and slave OH2 on same local network. I generated certificates using the following utility script.

The next step is to move the slave OH2 to my summer house and then change my bridge.conf to point to my external IP address for my home network, and also configure port forwarding in my ASUS router to point port 8883 to the local IP address of my master OH2.

Is there any other configuration that is needed to be changed when moving the slave OH2 to another network?
Will the port forwarding work out of the box? The mosquitto TLS request will then come from my routers internal IP address 192.168.1.1 on port 8883 to the master OH2 mosquitto service.

I guess I also need to configure port forwarding on the router in my summer house to point port 8883 to the local IP address of my slave OH2.

BR,

/Janne

Hey Janne,

I am also struggling with the setup of my openhab binding to connect to my broker with TLS, but can’t get it working, as you said:

It is possible to configure the slave, via the mqtt.cfg, to connect via ssl as I wrote

I was hoping you could help me more in detail where to put my certificates and keys, and how to edit my mqtt.conf…

so far, thank you in advance!

Walter

The OH1 Mqtt implementation only has an accept-all-and-everything policy, so man-in-the-middle attacks are possible. It is safer to use two Mqtt Brokers like Mosquitto on each side and let them synchronize themselves securely, at least for the moment.

Their will be a OH2 Mqtt implementation soon.

Cheers,
David

Thanks for the quick reply!

Hey,

How did you make the configuration and is the authentication also via port 8884 possible?
Thank you !

BR
/Alex

Is there already any news on this OH2 Mqtt implementation? I found another topic on how to set up access via Java key stores, but I’m curious to see if another way become available soon

Looking forward to the same. I need to use TLS auth with certificate files.

This is also possible with the mqtt 1.x binding, there are even scripts available to generate the certificates:

(That also works if you don’t want to use owntracks …)

Thanks! I’m also using owntracks, so great!