使用mqtt测试服务器测试mqtt 8884 tls双向认证加密通信

使用tls 双向认证时，需要提供客户端的证书。在mosquitto的测试服务器，有提供客户端证书的签发功能。需要自己实现证书签名请求。
操作如下：
1.生成rsa私钥

openssl genrsa -out mosquitto-client.key 2048

Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
........................+++++
e is 65537 (0x010001)
2.生成客户端证书签名请求

openssl req -config ../ssl/openssl.cnf -out mosquitto-client.csr -key mosquitto-client.key -new

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GD
Locality Name (eg, city) []:GZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GV
Organizational Unit Name (eg, section) []:RD
Common Name (e.g. server FQDN or YOUR name) []:const.net.cn
Email Address []:admin@const.net.cn

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3.Generate a TLS client certificate for test.mosquitto.org
访问网址：https://test.mosquitto.org/ssl/ 将csr粘贴到网站下，下载客户端证书。保存为mosquitto-client.crt.
生成客户端证书网页如图

下面开始测试mqtt 双向认证测试工作
发送订阅命令：

mosquitto_sub -L "mqtts://test.mosquitto.org:8884/const.net.cn/" --cert mosquitto-client.crt --key mosquitto-client.key --cafile ../mosquitto.org.crt -d

Client (null) sending CONNECT
Client (null) received CONNACK (0)
Client (null) sending SUBSCRIBE (Mid: 1, Topic: const.net.cn/, QoS: 0, Options: 0x00)
Client (null) received SUBACK
Subscribed (mid: 1): 0
带Qos参数的订阅命令:

mosquitto_sub -L "mqtts://test.mosquitto.org:8884/const.net.cn/" --cert mosquitto-client.crt --key mosquitto-client.key --cafile ../mosquto.org.crt -q 2 -d

Client (null) sending CONNECT
Client (null) received CONNACK (0)
Client (null) sending SUBSCRIBE (Mid: 1, Topic: const.net.cn/, QoS: 2, Options: 0x00)
Client (null) received SUBACK
Subscribed (mid: 1): 2

注意，需要带上客户端证书，客户端私钥，还有ca证书，否则，可能会得到以下错误提示
OpenSSL Error[0]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Error: A TLS error occurred.

发布命令：

mosquitto_pub -L "mqtts://test.mosquitto.org:8884/const.net.cn/" --cert mosquitto-client.crt --key mosquitto-client.key --cafile ../mosquitto.org.crt -m 'mqtt example 8884 : MQTT, encrypted, client certificate required' -d

Client (null) sending CONNECT
Client (null) received CONNACK (0)
Client (null) sending PUBLISH (d0, q0, r0, m1, 'const.net.cn/', ... (64 bytes))
Client (null) sending DISCONNECT

mosquitto_sub接收到的数据
Client (null) received PUBLISH (d0, q0, r0, m0, 'const.net.cn/', ... (64 bytes))
mqtt example 8884 : MQTT, encrypted, client certificate required
Client (null) sending PINGREQ
Client (null) received PINGRESP

本文链接地址：https://const.net.cn/151.html