Security for IoT, mobile, and web applications is an extremely important topic that deserves entire books dedicated to it. Each solution has its own security requirements, and it is very important to consider all of them when developing each component of the solution.

If we use MQTT to publish values that are neither confidential nor critical for other applications, our only concern may be to keep control over the maximum number of subscribers to topics to make sure that the messages are always available. This way, we can avoid the failure of MQTT in delivering messages to a huge number of subscribers.

However, most of the times, we won't be working on a solution that can share the data with the entire world without limitations and doesn't need to care about data confidentiality and integrity in addition to data availability. Imagine that we are working on a solution that includes a mobile app that allows users to control a huge drone. If the drone flies the wrong...

So far, we have been working with a Mosquitto server with its default configuration that listens on port 1883 and uses TCP as the transport protocol. The data sent between each MQTT client and server isn't encrypted. There are no restrictions to subscribers or publishers. If we open the firewall ports and redirect the ports in the router, any MQTT client that has our IP can publish to any topic and can subscribe to any topic.

In our examples in the previous chapter, we didn't make any changes in our configurations to allow incoming connections to port 1883, and therefore, we didn't open our Mosquitto server to the Internet.

We want to use TLS with MQTT and Mosquitto. This way, we will make sure that we can trust the MQTT server because we have confidence that it is who it says; our data will be private because it will be encrypted, and it will have integrity because it won't be altered in the middle of the road. In case you...

Now that we have a private certificate authority, we can create the certificate for the Mosquitto server, that is, a certificate for the computer that will run the MQTT server.

First, we must generate a new private key that will be different from the private key we generated for our own private certificate authority.

Go to the Terminal in macOS or Linux, or the Command Prompt in Windows. Run the following command to create a 2,048-bit key and save it in the server.key file:

openssl genrsa -out server.key 2048

The following lines show a sample output generated by the previous command:

Generating RSA private key, 2048 bit long modulus
....................................................................................................................................................................+++
......+++
e is 65537 (0x10001)

The previous command will generate the private key in the server.key file. Go back to the Terminal in macOS or Linux...

Now, we will configure Mosquitto to use TLS transport security and work with encrypted communications with different clients. Note that we haven't generated certificates for the clients, and therefore, we won't use client certificates for authentication. This way, any client that has the ca.crt file will be able to establish a communication with the Mosquitto server.

Go to the Mosquitto installation directory and create a new subdirectory named certificates. In Windows, you will need administrator privileges to access the default installation folder.

Copy the following files from the certificates directory, in which we have saved the certificate authority certificate and the server certificate, to the certificates subdirectory we recently created within the Mosquitto installation directory:

In case you are running the Mosquitto server in a Terminal window in macOS or Linux, press Ctrl + C to stop it. In Windows...

Now, we will use the MQTT.fx GUI utility to generate another MQTT client that uses an encrypted connection to publish messages to the same topic, sensors/drone01/altitude. We have to make changes to the connection options to enable TLS and specify the certificate authority certificate file. Follow the next steps:

There is another very popular utility to generate MQTT clients that can subscribe to topics and publish to topics: MQTT-spy. This utility is open source and can run on any computer that has Java 8 or a higher version installed on it. You can find more information about MQTT-spy at http://kamilfb.github.io/mqtt-spy. The options to establish a connection with an MQTT server with a certificate authority certificate file are similar to the ones we analyzed for MQTT.fx. However, in case you also want to work with this utility, it is convenient to analyze them in detail.

Now, we will use the MQTT-spy GUI utility to generate another MQTT client that uses an encrypted connection to publish messages to the same topic, that is, sensors/drone01/altitude. Follow the next steps:

Now, we want to require each MQTT client to provide a valid certificate to establish a connection with the MQTT server. This way, only the clients that have a valid certificate will be able to publish or subscribe to topics. We will use the previously created private certificate authority to create client certificates for authentication.

We will generate a sample certificate for our local computer that will act as a client. We can follow the same procedure to generate additional certificates for additional devices that we want to be able to connect to the Mosquitto server. We just need to use a different name for the file and use a different device name in the corresponding option.

First, we must generate a new private key that will be different from the private keys we generated for our own private certificate...

Now, we will configure Mosquitto to use TLS client certificate authentication. This way, any client will require the ca.crt file and a client certificate to establish a communication with the Mosquitto server.

In case you are running the Mosquitto server in a Terminal window in macOS or Linux, press CtrlC to stop it. In Windows, stop the appropriate service.

Go to the Mosquitto installation directory and open the mosquitto.conf configuration file.

In macOS, Linux. or Windows, add the following lines at the end of the configuration file:

require_certificate true 

We specified the true value for the require_certificate option to make Mosquitto require a valid client certificate for any client that requests a connection to Mosquitto.

Save the changes to the mosquitto.conf configuration file and launch Mosquitto again. We will use the mosquitto_sub command-line utility included in Mosquitto to generate a simple MQTT client that subscribes...

Now, we will use the MQTT.fx GUI utility to generate another MQTT client that uses an encrypted connection and TLS client authentication to publish messages to a topic that matches the topic filter we used for the subscription, sensors/drone25/altitude. We have to make changes to the connection options we used when we enabled TLS and specify the client certificate and client key files. Follow the next steps: