sslmqttmosquittobrokerbridging

Mosquitto broker with SSL encryption for bridge connection


Let me first explain what I am trying to achieve first and then I'll get into the details of the things I have tried already.

So, we have a VM that is on our premise and another VM that is on a customer's premise. The access to these VMs are only available to certain IP addresses. So, we could say that they are secure enough for our use-case.

Data from customer's environment flows through and into our VM through a mosquitto broker that is set-up on both these environments. This is done with the help of broker bridging that works fine. However, since this bridge is over the internet, we want to ensure that the data is encrypted and that no-one could intercept this over the internet and use this data in a malicious manner.

To achieve this we are making the use of SSL broker encryption. The first method I tried is to use PKS encryption method.

Here is the broker config at the customer environment.

listener 8883
connection bridgetest
address 147.1.20.1:8883
bridge_identity bridge1
bridge_psk 123456789
topic # both

And here is the broker config at our environment.

listener 8883 
psk_hint SAAS Deployments
psk_file c:\DemoCompany\psk_file.txt

The contents of the psk_file.txt are very simple and same as the bridge identity and the bridge_psk provided in the config of customer environment.

The problem I am facing here is that even though I change the bridge_identity or the bridge_psk at customer's environment to something that is not in the psk_file.txt, I am still able to connect the 2 brokers over the bridge. My understanding of this was that if I change the bridge_psk to some random hex code, the connection should get rejected. But that doesn't seem to happen. Am I doing something wrong or missing something over here?


Solution

  • The following config files work for me with v2.0.9 builds shipped from the mosquitto PPA on Ubuntu

    Client broker:

    listener 1889
    
    connection bridge
    address 127.0.0.1:1890
    bridge_identity bridge1
    bridge_psk 123456789987654321
    topic # both 0
    

    Bridge broker

    listener 1890
    psk_hint my test bridge
    psk_file /temp/psk/psk_file.txt
    use_identity_as_username true
    

    The use_identity_as_username is required as from Mosquitto v2 onward allow_anonymous defaults to false