Let me first explain what I am trying to achieve first and then I'll get into the details of the things I have tried already.
So, we have a VM that is on our premise and another VM that is on a customer's premise. The access to these VMs are only available to certain IP addresses. So, we could say that they are secure enough for our use-case.
Data from customer's environment flows through and into our VM through a mosquitto broker that is set-up on both these environments. This is done with the help of broker bridging that works fine. However, since this bridge is over the internet, we want to ensure that the data is encrypted and that no-one could intercept this over the internet and use this data in a malicious manner.
To achieve this we are making the use of SSL broker encryption. The first method I tried is to use PKS encryption method.
Here is the broker config at the customer environment.
listener 8883
connection bridgetest
address 147.1.20.1:8883
bridge_identity bridge1
bridge_psk 123456789
topic # both
And here is the broker config at our environment.
listener 8883
psk_hint SAAS Deployments
psk_file c:\DemoCompany\psk_file.txt
The contents of the psk_file.txt are very simple and same as the bridge identity and the bridge_psk provided in the config of customer environment.
The problem I am facing here is that even though I change the bridge_identity or the bridge_psk at customer's environment to something that is not in the psk_file.txt, I am still able to connect the 2 brokers over the bridge. My understanding of this was that if I change the bridge_psk to some random hex code, the connection should get rejected. But that doesn't seem to happen. Am I doing something wrong or missing something over here?
The following config files work for me with v2.0.9 builds shipped from the mosquitto PPA on Ubuntu
Client broker:
listener 1889
connection bridge
address 127.0.0.1:1890
bridge_identity bridge1
bridge_psk 123456789987654321
topic # both 0
Bridge broker
listener 1890
psk_hint my test bridge
psk_file /temp/psk/psk_file.txt
use_identity_as_username true
The use_identity_as_username
is required as from Mosquitto v2 onward allow_anonymous
defaults to false