2021年7月

“欲速则不达,见小利则大事不成。”

下面是一个Will Message的示例:

Sub端clientid=sub预定义遗嘱消息:

mosquitto_sub --will-topic test --will-payload offline --will-qos 2 -t topic -i sub -h 192.168.1.1

客户端 clientid=alive 在 192.168.1.1 订阅will主题

mosquitto_sub -t test -i alive -q 2 -h 192.168.1.1

当断开client sub端与Server端连接,alive收到offline的消息。

参数说明:

--will-payload : payload for the client Will, which is sent by the broker in case of
                  unexpected disconnection. If not given and will-topic is set, a zero
                  length message will be sent.
 --will-qos : QoS level for the client Will.
 --will-retain : if given, make the client Will retained.
 --will-topic : the topic on which to publish the client Will.

-t : mqtt topic to subscribe to. May be repeated multiple times.
-i : id to use for this client. Defaults to mosquitto_sub_ appended with the process id.
-h : mqtt host to connect to. Defaults to localhost.

使用mosquitto c++ 实现publish发布消息到broker

file mymosq.h

class myMosq : public mosqpp::mosquittopp
{
private:
 const char     *     host;
 const char    *     id;
 const char    *     topic;
 int                port;
 int                keepalive;

 void on_connect(int rc);
 void on_disconnect(int rc);
 void on_publish(int mid);
public:
 myMosq(const char *id, const char * _topic, const char *host, int port);
 ~myMosq();
 bool send_message(const char * _message);
};

file mymosq.cpp

#include "mymosq.h"
#include <iostream>
myMosq::myMosq(const char * _id,const char * _topic, const char * _host, int _port) : mosquittopp(_id)
 {
 mosqpp::lib_init();        
 this->keepalive = 60;    
 this->id = _id;
 this->port = _port;
 this->host = _host;
 this->topic = _topic;
 connect_async(host,     
 port,
 keepalive);
 loop_start();            
 };
myMosq::~myMosq() {
 loop_stop();            
 mosqpp::lib_cleanup();    
 }
bool myMosq::send_message(const  char * _message)
 {
 int ret = publish(NULL,this->topic,strlen(_message),_message,1,false);
 return ( ret == MOSQ_ERR_SUCCESS );
 }
void myMosq::on_disconnect(int rc) {
 std::cout << ">> myMosq - disconnection(" << rc << ")" << std::endl;
 }
void myMosq::on_connect(int rc)
 {
 if ( rc == 0 ) {
 std::cout << ">> myMosq - connected with server" << std::endl;
 } else {
 std::cout << ">> myMosq - Impossible to connect with server(" << rc << ")" << std::endl;
 }
 }
void myMosq::on_publish(int mid)
 {
 std::cout << ">> myMosq - Message (" << mid << ") succeed to be published " << std::endl;
 }

此处使用同步连接模式来发布消息,mosquitto有同步和异步两种通讯方式。同步的方式是通信+等待的阻塞模式。
官方手册api地址:https://mosquitto.org/api/files/mosquitto-h.html#mosquitto_connect
有疑问的地方,可以直接看官方手册,比较好懂。

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "mosquitto.h"

#define HOST "localhost"
#define PORT  1883
#define KEEP_ALIVE 60
#define MSG_MAX_SIZE  512

static int running = 1;

void my_connect_callback(struct mosquitto *mosq, void *obj, int rc)
{
        printf("Call the function: my_connect_callback\n");

}

void my_disconnect_callback(struct mosquitto *mosq, void *obj, int rc)
{
        printf("Call the function: my_disconnect_callback\n");
        running = 0;
}

void my_publish_callback(struct mosquitto *mosq, void *obj, int mid)
{
        printf("Call the function: my_publish_callback\n");

}


int main()
{
        int ret;
        struct mosquitto *mosq;
        char buff[MSG_MAX_SIZE];
        
        //初始化libmosquitto库
        ret = mosquitto_lib_init();
        if(ret){
                printf("Init lib error!\n");
                return -1;
        }
        //创建一个发布端实例
        mosq =  mosquitto_new("pub_test", true, NULL);
        if(mosq == NULL){
                printf("New pub_test error!\n");
                mosquitto_lib_cleanup();
                return -1;
        }

        //设置回调函数
        mosquitto_connect_callback_set(mosq, my_connect_callback);
        mosquitto_disconnect_callback_set(mosq, my_disconnect_callback);
        mosquitto_publish_callback_set(mosq, my_publish_callback);

        // 连接至服务器
        // 参数:句柄、ip(host)、端口、心跳
        ret = mosquitto_connect(mosq, HOST, PORT, KEEP_ALIVE);
        if(ret){
                printf("Connect server error!\n");
                mosquitto_destroy(mosq);
                mosquitto_lib_cleanup();
                return -1;
        }

        printf("Start!\n");
        
        //mosquitto_loop_start作用是开启一个线程,在线程里不停的调用 mosquitto_loop() 来处理网络信息
        
        int loop = mosquitto_loop_start(mosq); 
        if(loop != MOSQ_ERR_SUCCESS)
        {
            printf("mosquitto loop error\n");
            return 1;
        }


        while(fgets(buff, MSG_MAX_SIZE, stdin) != NULL)
        {
            /*发布消息*/
            mosquitto_publish(mosq,NULL,"topic1",strlen(buff)+1,buff,0,0);
            memset(buff,0,sizeof(buff));
        }

        mosquitto_destroy(mosq);
        mosquitto_lib_cleanup();
        printf("End!\n");

        return 0;
}

mosquitto有同步和异步两种通讯方式。同步的方式是通信+等待的阻塞模式。
官方手册api地址:https://mosquitto.org/api/files/mosquitto-h.html#mosquitto_connect
有疑问的地方,可以直接看官方手册,比较好懂。

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "mosquitto.h"

#define HOST "localhost"
#define PORT  1883
#define KEEP_ALIVE 60
#define MSG_MAX_SIZE  512

// 定义运行标志决定是否需要结束
static int running = 1;

void my_connect_callback(struct mosquitto *mosq, void *obj, int rc)
{
        printf("Call the function: on_connect\n");

        if(rc){
                // 连接错误,退出程序
                printf("on_connect error!\n");
                exit(1);
        }else{
                // 订阅主题
                // 参数:句柄、id、订阅的主题、qos
                if(mosquitto_subscribe(mosq, NULL, "topic1", 2)){
                        printf("Set the topic error!\n");
                        exit(1);
                }
        }
}

void my_disconnect_callback(struct mosquitto *mosq, void *obj, int rc)
{
        printf("Call the function: my_disconnect_callback\n");
        running = 0;
}

void my_subscribe_callback(struct mosquitto *mosq, void *obj, int mid, int qos_count, const int *granted_qos)
{
        printf("Call the function: on_subscribe\n");
}

void my_message_callback(struct mosquitto *mosq, void *obj, const struct mosquitto_message *msg)
{
        printf("Call the function: on_message\n");
        printf("Recieve a message of %s : %s\n", (char *)msg->topic, (char *)msg->payload);

        if(0 == strcmp(msg->payload, "quit")){
                mosquitto_disconnect(mosq);
        }
}


int main()
{
        int ret;
        struct mosquitto *mosq;

        // 初始化mosquitto库
        ret = mosquitto_lib_init();
        if(ret){
                printf("Init lib error!\n");
                return -1;
        }

        // 创建一个订阅端实例
        // 参数:id(不需要则为NULL)、clean_start、用户数据
        mosq =  mosquitto_new("sub_test", true, NULL);
        if(mosq == NULL){
                printf("New sub_test error!\n");
                mosquitto_lib_cleanup();
                return -1;
        }

        // 设置回调函数
        // 参数:句柄、回调函数
        mosquitto_connect_callback_set(mosq, my_connect_callback);
        mosquitto_disconnect_callback_set(mosq, my_disconnect_callback);
        mosquitto_subscribe_callback_set(mosq, my_subscribe_callback);
        mosquitto_message_callback_set(mosq, my_message_callback);

        // 连接至服务器
        // 参数:句柄、ip(host)、端口、心跳
       ret = mosquitto_connect(mosq, HOST, PORT, KEEP_ALIVE);
        if(ret){
                printf("Connect server error!\n");
                mosquitto_destroy(mosq);
                mosquitto_lib_cleanup();
                return -1;
        }


         // 开始通信:循环执行、直到运行标志running被改变
        printf("Start!\n");
        while(running)
        {
                mosquitto_loop(mosq, -1, 1);
        }

        // 结束后的清理工作
        mosquitto_destroy(mosq);
        mosquitto_lib_cleanup();
        printf("End!\n");

        return 0;
}

使用mqtts的时候,连接提示错误:

mosquitto_sub -L mqtts://124.71.233.xx:8883/ -t "command///req/#" --cert cert.pem --key key.pem --cafile ../trusted-certs.pem -q 1

Unable to connect (A TLS error occurred.).

加上调试信息打印

mosquitto_sub -L mqtts://124.71.233.xx:8883/ -t "command///req/#" --cert cert.pem --key key.pem --cafile ../trusted-certs.pem -q 1 -d

Error: Unable to load client certificate "cert.pem".
OpenSSL Error[0]: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
Unable to connect (A TLS error occurred.).

查看openssl软件版本
openssl
OpenSSL> version
OpenSSL 1.1.1f 31 Mar 2020
OpenSSL> quit

使用openssl s_client 测试

openssl s_client -connect 124.71.233.xx:8883 -cert cert.pem -key key.pem -CAfile ../trusted-certs.pem -showcerts

error setting certificate
140341384697152:error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak:../ssl/ssl_rsa.c:310:
出现同样的错误。

查看证书信息

openssl x509 -text -in cert.pem

Signature Algorithm: sha1WithRSAEncryption

众所周知,sha1算法很弱且已过时。应该就是这个原因了。
解决办法:

openssl s_client -cipher @SECLEVEL=0:ALL -connect 124.71.233.xx:8883 -cert cert.pem -key key.pem -CAfile ../trusted-certs.pem -showcerts

要确认就是sha1的问题,只需要这样就可以

openssl s_client -cipher @SECLEVEL=0:SHA1 -connect 124.71.233.62:8883 -cert cert.pem -key key.pem -CAfile ../trusted-certs.pem -showcerts

mqtt在编译openssl的时候,使用DOPENSSL_TLS_SECURITY_LEVEL=0就可以了。

还有一个修改配置文件的方法,
修改/etc/ssl/openssl.cnf文件
在文件开头加上

openssl_conf = default_conf

在文件结尾加上

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = ssl_default_sect

[ssl_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=0

验证测试:

openssl s_client  -connect 124.71.233.62:8883 -cert cert.pem -key key.pem -CAfile ../trusted-certs.pem -showcerts

CONNECTED(00000003)
...
verify return:1
这个方法来源于:https://askubuntu.com/questions/1231799/certificate-error-after-upgrade-to-20-04
原文:

I found a solution, according to the accepted answer of this question:
Ubuntu 20.04 - how to set lower SSL security level?

In particular, the openSSL configuration file /etc/ssl/openssl.cnf
shall be modified in the following way.

At the beginning, add openssl_conf = default_conf

At the end, add

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = ssl_default_sect

[ssl_default_sect] MinProtocol = TLSv1.2 CipherString =
DEFAULT:@SECLEVEL=0 After this modification, the certificate is
recognized without security errors.

https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_security_level.html

WARNING at this time setting the security level higher than 1 for
general internet use is likely to cause considerable interoperability
issues and is not recommended. This is because the SHA1 algorithm is
very widely used in certificates and will be rejected at levels higher
than 1 because it only offers 80 bits of security.

The default security level can be configured when OpenSSL is compiled
by setting -DOPENSSL_TLS_SECURITY_LEVEL=level. If not set then 1 is
used.

https://github.com/drwetter/testssl.sh/issues/1433

OpenSSL 1.1.0 introduced the ability to specify a security level:
https://github.com/openssl/openssl/blob/master/doc/man3/SSL_CTX_set_security_level.pod.
By default the security level is set to 1 unless a compile-time option
is used to set the default a different value. The security level may
also be set by the command line, e.g.,

openssl s_client -cipher @SECLEVEL=0:ALL -connect 127.0.0.1:443 At the
moment, testssl.sh does not use the @SECLEVEL=n directive, but we may
want to look into using s_client_options() to add it in some
circumstances.

  1. 1
  2. ...
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. ...
  11. 28