My use-case is to connect an OH2 located in our summer house with my master OH2. I got it working over TCP with username/password protection on the Mosquitto server, but I would like to use TLS for improved security.
I’ve read several posts that the MQTT binding does not support TLS/SSL. Why does the binding documentation then indicate that it is possible to connect via ssl:// ?
Example configuration of a encrypted broker connection with authentication:
Is it somehow possible to generate private certificates and put them somewhere on the slave OH2 so that the slave OH2 can connect to the Mosquitto server running in the master OH2 server using TLS/SSL?
I know that it is possible to configure Mosquitto to use TLS, but in your case you access Mosquitto from a mobile device that you can configure with matching certificates.
In my case I use the MQTT binding in OH2 (or the 1.9 compatible version to be more precise) on my OH2 slave that uses the event bus binding configuration to publish all events to the broker running on my master OH2.
It is possible to configure the slave, via the mqtt.cfg, to connect via ssl as I wrote, but how do I configure the OH2 slave to use correct certificates?
Thanks for the hint!
I’ve now got TLS working with bridged Mosquitto brokers when running both master and slave OH2 on same local network. I generated certificates using the following utility script.
The next step is to move the slave OH2 to my summer house and then change my bridge.conf to point to my external IP address for my home network, and also configure port forwarding in my ASUS router to point port 8883 to the local IP address of my master OH2.
Is there any other configuration that is needed to be changed when moving the slave OH2 to another network?
Will the port forwarding work out of the box? The mosquitto TLS request will then come from my routers internal IP address 192.168.1.1 on port 8883 to the master OH2 mosquitto service.
I guess I also need to configure port forwarding on the router in my summer house to point port 8883 to the local IP address of my slave OH2.
The OH1 Mqtt implementation only has an accept-all-and-everything policy, so man-in-the-middle attacks are possible. It is safer to use two Mqtt Brokers like Mosquitto on each side and let them synchronize themselves securely, at least for the moment.