Mosquitto TLS 安全 - 可以读取消息负载吗?
[英]Mosquitto TLS Security - Can the message payload be read?
问题描述
I am running mosquitto broker on ubuntu on aws ec2, using TLS over port 8883. For example:
我在 aws ec2 上的 ubuntu 上运行 mosquitto 代理,在端口 8883 上使用 TLS。例如:
mosquitto_sub -h domain.com -t topic --cafile /etc/mosquitto/certs/ca.crt -p 8883
The client is esp8266 using TLS configuration.客户端是 esp8266 使用 TLS 配置。
Is it possible for someone to still intercept or read the outgoing or incoming mqtt message?有人仍然可以拦截或读取传出或传入的 mqtt 消息吗?
All communication is on port 8883 using a certificate.所有通信都使用证书在端口 8883 上进行。
1 个解决方案
解决方案1
0 2023-02-01 20:48:20
(1) The most trivial answer with MQTT context is: (1) MQTT 上下文最简单的答案是:
Use another MQTT client and subscribe to '#' to see all messages your broker receives from anywhere.使用另一个 MQTT 客户端并订阅“#”以查看您的代理从任何地方收到的所有消息。
If you know the topics your esp8266 client is publishing or subscribed to, subscribe to all these with the other client (eg with 'mosquitto_sub').如果您知道您的 esp8266 客户端正在发布或订阅的主题,请与其他客户端(例如使用“mosquitto_sub”)订阅所有这些主题。
The broker provides messages on the topic "topic" mentioned above to all subscribed clients, independent from their communication channel security.经纪人向所有订阅的客户提供关于上述主题“主题”的消息,独立于他们的通信通道安全。
This way you get the messages for the esp8266 with any other client.这样你就可以通过任何其他客户端获得 esp8266 的消息。 For example, if the unencrypted channel is not deactivated: mosquitto_sub -h domain.com -t topic -p 1883例如,如果未加密通道未停用: mosquitto_sub -h domain.com -t topic -p 1883
TLS ensures encryption for the communication channel only, and not for the actual payload before putting it onto the channel between client and server. TLS 确保仅对通信通道进行加密,而不是在将实际负载放入客户端和服务器之间的通道之前对其进行加密。
(2) If (1) is not the expected answer and you rather want to wiretap the encrypted communication: (2) 如果 (1) 不是预期的答案,而您更想窃听加密通信:
- Short answer is: no, not with trivial tooling;简短的回答是:不,不是用琐碎的工具; that's the purpose of TLS.这就是 TLS 的目的。
A good article for MQTT security fundamentals:https://www.hivemq.com/blog/mqtt-security-fundamentals-tls-ssl/ MQTT 安全基础知识的好文章:https://www.hivemq.com/blog/mqtt-security-fundamentals-tls-ssl/
- Long answer is:长答案是:
[Disclaimer: no assumptions about advanced abilities of 3rd parties] [免责声明:不假设第 3 方的高级能力]
The TLS communication is properly encrypted, and to decrypt the MQTT communication requires the session secrets client and server use after their successful TLS handshake. TLS 通信已正确加密,要解密 MQTT 通信,客户端和服务器在成功握手后需要使用 session 机密。
A solutions requires you as the operator of the broker.解决方案需要您作为经纪人的经营者。
There is a short article about how to do it: https://adrianalin.gitlab.io/popsblog.me/posts/decrypt-mqtt-tls-traffic/有一篇关于如何做的简短文章: https://adrianalin.gitlab.io/popsblog.me/posts/decrypt-mqtt-tls-traffic/
In essence:在本质上:
- You can use Wireshark to eavesdrop the traffic, if you configure the session secrets there.如果在那里配置 session 机密,则可以使用 Wireshark 窃听流量。
- To get the secrets you adjust and re-build mosquitto according the article, so that your broker print the session secrets.要获得您根据文章调整并重新构建 mosquitto 的秘密,以便您的经纪人打印 session 秘密。
(Whether you are able to setup this with root privileges on your EC2 instance in AWS, is another question). (您是否能够在 AWS 中的 EC2 实例上使用 root 权限设置它,是另一个问题)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.