[英]Mosquitto TLS Security - Can the message payload be read?
I am running mosquitto broker on ubuntu on aws ec2, using TLS over port 8883. For example:我在 aws ec2 上的 ubuntu 上运行 mosquitto 代理,在端口 8883 上使用 TLS。例如:
mosquitto_sub -h domain.com -t topic --cafile /etc/mosquitto/certs/ca.crt -p 8883
The client is esp8266 using TLS configuration.客户端是 esp8266 使用 TLS 配置。
Is it possible for someone to still intercept or read the outgoing or incoming mqtt message?有人仍然可以拦截或读取传出或传入的 mqtt 消息吗?
All communication is on port 8883 using a certificate.所有通信都使用证书在端口 8883 上进行。
(1) The most trivial answer with MQTT context is: (1) MQTT 上下文最简单的答案是:
Use another MQTT client and subscribe to '#' to see all messages your broker receives from anywhere.使用另一个 MQTT 客户端并订阅“#”以查看您的代理从任何地方收到的所有消息。
If you know the topics your esp8266 client is publishing or subscribed to, subscribe to all these with the other client (eg with 'mosquitto_sub').如果您知道您的 esp8266 客户端正在发布或订阅的主题,请与其他客户端(例如使用“mosquitto_sub”)订阅所有这些主题。
The broker provides messages on the topic "topic" mentioned above to all subscribed clients, independent from their communication channel security.经纪人向所有订阅的客户提供关于上述主题“主题”的消息,独立于他们的通信通道安全。
This way you get the messages for the esp8266 with any other client.这样你就可以通过任何其他客户端获得 esp8266 的消息。 For example, if the unencrypted channel is not deactivated:
mosquitto_sub -h domain.com -t topic -p 1883
例如,如果未加密通道未停用:
mosquitto_sub -h domain.com -t topic -p 1883
TLS ensures encryption for the communication channel only, and not for the actual payload before putting it onto the channel between client and server. TLS 确保仅对通信通道进行加密,而不是在将实际负载放入客户端和服务器之间的通道之前对其进行加密。
(2) If (1) is not the expected answer and you rather want to wiretap the encrypted communication: (2) 如果 (1) 不是预期的答案,而您更想窃听加密通信:
A good article for MQTT security fundamentals:https://www.hivemq.com/blog/mqtt-security-fundamentals-tls-ssl/ MQTT 安全基础知识的好文章:https://www.hivemq.com/blog/mqtt-security-fundamentals-tls-ssl/
[Disclaimer: no assumptions about advanced abilities of 3rd parties] [免责声明:不假设第 3 方的高级能力]
The TLS communication is properly encrypted, and to decrypt the MQTT communication requires the session secrets client and server use after their successful TLS handshake. TLS 通信已正确加密,要解密 MQTT 通信,客户端和服务器在成功握手后需要使用 session 机密。
A solutions requires you as the operator of the broker.解决方案需要您作为经纪人的经营者。
There is a short article about how to do it: https://adrianalin.gitlab.io/popsblog.me/posts/decrypt-mqtt-tls-traffic/有一篇关于如何做的简短文章: https://adrianalin.gitlab.io/popsblog.me/posts/decrypt-mqtt-tls-traffic/
In essence:在本质上:
(Whether you are able to setup this with root privileges on your EC2 instance in AWS, is another question). (您是否能够在 AWS 中的 EC2 实例上使用 root 权限设置它,是另一个问题)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.