From 277b37ad695c610f17c8de3c9e8877e67e24401c Mon Sep 17 00:00:00 2001 From: Julian Knight Date: Sat, 9 Nov 2019 15:56:41 +0000 Subject: [PATCH 01/11] new entry --- images/mqtt/tls-connect-1.png | Bin 0 -> 13643 bytes mqtt/tls-connect-to-broker.md | 116 ++++++++++++++++++++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 images/mqtt/tls-connect-1.png create mode 100644 mqtt/tls-connect-to-broker.md diff --git a/images/mqtt/tls-connect-1.png b/images/mqtt/tls-connect-1.png new file mode 100644 index 0000000000000000000000000000000000000000..17ecc8458dc9ec2cc3ce41e2b9c524b30d065000 GIT binary patch literal 13643 zcmb8VbzD^4+6Fv`f(RoD3Nn-hf|S6}5=u&k(w#$xbgJmkAd=GE&CsO|-9rr}I7&Cj z(DCiT^E~G{zxTY~_kRDdn7w-Mbzkeculo*CR+I)`gIoiFK;RcL5~?83rFS3@-pJKU zz>|B$Gdv&=57`TeXD{6+*OR?Mb)}oq9?Vy;eAUlltv{*syIbt6bx$)$^v2zHWUl3x zRo}VuMnqmkHOWSgx4ut{Ph2kNWxSC@y@+{hJ?pNm5=cA2?@IP)yEce2Afz}bnKnY$ zlKNzc6AvEh^=aILg!AnS^VP<}m6yrVN}`JU-l-XRdOmb6D=*O+Ed_!W>_@m&IR}L> z;Yuh82=oSyhg&&52$W_7{3C`0{=n`4f3$NjXayQk-;?<`1K;@=4SgT%C|ciZ-38YG z-yBRYp^XA`68hirG^LOpVk_?$G4+dka9C_DLf@#gH z_6bD4Pnh-G+s5>6`27|^gmPz6kBK-looV$rSSwjE*3XP_xuUu7S*k}(bjE5pC}*d6 zDAwnF_Rgq$?U)HSw5#ppyT1gl=aA*u>lk&to^gT=yn;H8hBVQD-YoDWDew}oxkw_D zGc+L^fnRi~uR!+t!+|~37huFmui)*7>x{t09m~!~mp;dTsiwJxv`JTe)b^ml)p-sj zp3+ad>3K4>fgD=oUVx4F9m4MPCLZD2DY{aV-VVFO6lY(r--0yiig0G1((u^*Mb%&R zEuI;o&gzTC!w#-ax7tpfiq}5JlHE>Myh6>|VBO#)xX4d9hkw46GXFyFy%=)J-{+hE z@nNI2UNqjab5EAC&SOG9{~vdU_AvRU+$9axZ55h}U#5Hy_tsbCsd!WMHb}qo; zG|iegh#qOM`BdxLN89>Q>x6C?*f^0S=V9=-l?7_xF?YQ@=I-7rsAr(DS48f4%Lc@- z!8)a!CC{o_tM`XuxR0ct1gQ__V%PMG?C*RG)YInt=>l4^26t?|%Ig1So=U9_e|fuR(p_`QXX08rEcQ}lM~!Z|aoxQYu&Y~*<3L7=N<)v+ zlVaUS?3!;Xl0)2*+vWb7uU4QXb7+xLI9z98tn7YI?N*kpV1|)TWSrmq9;}r3e3#s~ zvkmzo5oGMdN+%;G!zfBEQx9ROC+S55i8VGWFMlj|7{8ruYNh_5{4?^%UCh3>`WfV(;&oO7{YS!oYB z>S)*M=*r@@iAk#0R{X!x5V~vCqst(W-eB2Ub)y{O6HigCEvFnJVW`X{D0bd+6l=iC zvZ%vsOLZu3kdaOEY*>{MJQWLLwxHaLq2O$jG8>MCy@1F8b)L}XCg^Cg2C`T)!)%Eh z1VX4IbN1ajiT#`IjiKD3G`)#d6}=f4bhZFGpjyH_N<*Ecut=u>gC3^W{8XaBk}WC1 zoSbK*g}+)or9XR5cx2=~oI!wXRwPFvH9cwiE`B~h`6qe2a!KgOcr!G+FkZ+61f6&Du&~Ree=u`H{Jz&U37#<{SAu1 z*kV2Wz9$FnsrT90>@C+0mvY^j_vw$ZqK+;hqYkOB;us46>$1LSi+cX2$!@uS(>X;U zMx>Bk;pNSXfl*I@|*MZFe;q#Ho&!kS?C)0J?gk-!9*W+uSMe;nYb19aB>%@EJ zM%dZDN)|_g2K^x-EZQ&XsFJ1`wb8{z5xT$6YLtyim^(T4r8L?WP9smsOI)#(q8d<;Kcb_j+a8- zhW&n}(=`j}%{RjNM$(85@ix!p68~J5jlGzl!CDl-v-+Aa8Zb+Gb!C{}mi|zg*Mna* zv+lXHgoNfXys?=^9bex@2&qbf0QfelGwS6GrKu`+s-J$ZEluMe+sMbWwmMc*T3OC( zWlI$uz83>6N>yAFYFHf8A9je3cg;;co2-7}-;zm7%hxliGJ6G#|K-z28TIjF7N<}M zZxUfOH_tblU3p|rn4#>Skd&@?QY%}E+RN0syp_$Z_hUcQuP z{`uAQ3Z$~sXgx|5WR0RQ2Uuv;zqgJcyGne5AR9Z3-61PR2-#v009*{RNC5r(Ak|OH zZW*Zl3ZrDS8gG=6)>^z>H7Yq$M)^&4HEV8OV}`8wORc%Ev>bv4O!%O;-(r=lc*(g> zvu+BaPNyl`G^|K_Z8hMhy;)GK(-&QJz!rc5GG^{KiguGAjR>sfw31|ls9Wr3{OVNm zrPU*tk`G+YAKAJQS=hB5^cpa1;M~2;v#?xotN)px`65nTw=k-s343&%?L?trn0x5A zz31sijhR)Y&U7Qtl0Eo0SC0*MM+mL>f>~^1FBxd?31EMJnLExX0b@D)Mg~~WUl#LM z`G2;YH}4!z4z{;NBz3iChQ@!Rl=jR0+eX>ckv{5r33>N%NWc()V=w=e7iD2gI>M9r z9e=X_?Ju8Jpi4C^?Km~x}Iz_lX<o0&os6 zNc?|218P~pU^IP;Me*mb2>R63Xt;&Bxt-fh`n(%J?=%O<*?P5Ko%$BXl<$-_SjkSW z!DT4AcJs%A*T#gP09p~;veV5%`gH3{SJb0NjEr#IR>EziNT%kBHD^=z&;8xf4fi)c z>+uy$yNsQ>yP{)H2YCwFA&f$pxQtdf8bS=NM~b z$b(N^t!%?v24_2QeTjUeTJ8s!fW^f{ZmU{qMvCjMimTRlfaUL|!<9Bz4Xo$GQKASf zh+Zbrp=%<)^P;MqPRou*u{C)~U8@%`Vm=IZ713w?Z=JViE^8{pPfQecAMTnuGyM8x@tof2}kZZSWf zQgUcSZU2DCP1NIrbeN-B8u@}6A%!%K!>*#e$~V8e&9ZT=XNQpfOx3R+7qc-(m4!c& zGbmY&V1kdmd#N>k7CXa9EABN#5+S$vX&%ydR^UGr32)jJE4L$<{-~`$2pkDX^wt@M zX|L%xU+Uwu`^pBBkGo$FlvM=we)$91!LZLTZ(>JDt8haD)#(5;5RYD~AEu8EH&3&L z@M6hyCknTrA$7pVNW*MMBJEpF_kcY+9&8y+rR`P@h_GCbw^Y_XQ^b})Cfj*z#)q;n zOtN;W$WPAMzqo|~lT7P`h@Ai2r4JXiq>uJpTYAYtm@PyN_ClBk#p)qL=%T|ri!k#3 z1Lc``5P~<~ENi{w5R>#^;)TUUdfx-1DSWv^K6{F<+r~W8!3^3vAD!fpUkP5wAsSCw zGfgvam;4p<7QNJFnP}O|8IOt>$c7a3WYW6ScA{c_yxio_U^Y?(NgU#B_#z}L=D@{! zJP&hav~`F*I4GbaA7I{~U^;NBALeu9&LBKj$#oA)OB)2g{i?tBj_E(Q4EX3pSDI-AoccHLL-Bw=W(m3I^2Zc$2!wlm zz*2$P?mjx+-<+LMZN)=90W9{7{L}4L^5W4l{xlUN8(_x3xJ!_W4r1F-R^u%c3T0I# z$ipKEpux=;D-IB7?Rz2}xCJ|=lhZ0x`ZKCf6H`CpL(ocTIfjRy||TOE9&d{G7$V5D5IV$7yL zR(9~o7d=PtKeSgp6sty{{I^Hx0U;7 z6xbj;o0ZX(NB8k7MpT*E8>1%>gTW&fTIs$}IggPRm8zS}UQsbWj%CAAA%GFFOCc>8 zDH@_#9+=fNsY9RYu*uo_y70;ujeM)tN1UO|R~!+vUPV@dlf=S{I%SEpw;tg;1#~t1 zQoSxtczmV#ve!%Cq%{;^-hKjy1kr*uEcCu!E`K@V+TaA9^m*|d@YmLT@VxfI8ndr{ zxhbBGA{@^SDrPrS{<6%Lwuh#rJ*6v}uEWt|7wZbdekE8_gJ_m@(xA5AP zNS?}DanRufTYYr693wckI!ORp(c9B+iBH-U85R>ter!f@Om^+cGyth~j$f9fE8%MO!6897~uwq$rLL zB9DW;U~8gW`~bOb!PMmNq!6BYZzCnJEA-Xy+@zuGc*T;9qyJF8WV9r5a>Wh@5Vb52 zb%mspFP|XqnIq;$q_VUyTQA~CAnJQ;-lj<|LF%RkX0~{C!^#;#^$bLZ2?CnU6S zHmI^04`WZmtes3*2X@+Lb2&AOKM2Q+i#cm|Fs!CI zlM0uEfhkLQNM0&joO$`t%b>JkaikbfP6~=4|MeJGjeGpJDg4Va?)+s6TdGFJ#>T!W z8c85A(FfWBs4+i-(;ls;lEUIst|PK016wsfJK`?ys>c{EfE9pFDI6*Ks~iO26<6_B2@}j$1gddA z{~+?9vuZLh74GL7IB^c<0kY@5x`?3K4VK=g^<15yaY)RAyozy%$kwp+1GsC7)zrYw zNcg?;148(e=l!Km@HU?&S6D}W@A4bCmj=?ptyq`BvWJDc5Ecv!u5Na)R$lShK)|>iMy)$^le>6#y>jskVhK6 zZjBQ`I>}$iU#M*#yK$aOX{2v;T>ia^xKWHWvhs$on<`SVA)hxvHkiBx z^3BwOn%)3Y-qhG9N&FP?dQs_=?Q|EmiNRMSXQLHJp}p=sd%Pb?V;qS5?EQ0;FoA$tIjKF7@N;~jZ5x|kaYdc24$Bry{Jf5?6$2( zocs8CZUkvZjnYWjnqfBijRD)6-;NkEjcPtrT+WG9xc#htVRx!|t5OfCDsBmhj*VDA zgtp2Hmm1~TGc3Dw3=W3lqx52}Wk-mj)Q|)15;d|{65JYsd=;D!k6#s7XFq1rcw%o* zXUBr28Fa{5*S(@m=+Z&F;WnEe{7KIZ zAU~hr*)|fim)s}~kSU&{eQ6I~BUNoOTCW^^Dc_WN{Usp{vvjw;&M5z;X2o;oXlaJC z4_i!@hj`wKjk%te*>IWY&eM_-j@K@QzPGc*b2Vh;#61ajBU@mg!69FsQcRxNp03Qs>UjrT1Mn=CO2o5eT}b%ya5P@N&fsnu6tWQxS12}q;%9EjsUyrp z8!Er?kYeKjI6&>&MmR)vbij=F>hhDL4>jGzpM)~j8^6twCkWY z?p(4dtqR&#a>Dd-Sy9iCl3E!ILBq6z#5#}6!sKoGLK+>~!TLKeO)XV?pL8Q^N{VV6 zjG3IQoJqhdgOV|q0~OqkK&rg{y(2D$EcWt|{)sQ=0WJEhNs(o0yu4;q@>8udh?F%Q zvjLW6Dcw|_dT_|%f>mE5y5V6ZfGAQxTHz;f%De;Ic@N1Z!Czj*hs=zl2}D6>!}dE` zS%k501?eETO;#1DGYI7n1tEZSOgm^8x~TiXYGrN*gD3%lB8Jqw19rP+W~$}IM{@xe z{2nqiM46b_zys|md;l+SBn^iT7i0|wCpd=oSNT`PUuD{ImLNc4aX;}cMt=kU2jHgQ%=wJ$(Q? zr%B_xS*0;zq!M*}?B)rGSQ)2^lD-lpM-6kRCy3J;HeZ>_%F5rre@7GSGG*)q3$j`{ zwH$ppPHx`%Moh`B>s~1ncoL|Kb?nMCf(hM+-&m)d2l>3o>&g(>pU(~oR2$#u%ecS8 z=p+M{Kn{{*P|MMf_>hx_98H(D3}>``)s~+wWr%>MuZKoNs9hEFVLx+e(z1cQ7<@8l zgLm0c;|b*_@o5_V#vPz-^v&ow7AJ?AAD|>B$wr z=J#;4oK*C%H(=n@)wWZ6z1#yQ3w$kyzv$2T`S_$?rHcT{UnrdWi720s;p#e{p0F|* ziLTG^I_ZWGcgJu3(;1s&f!F4%W5uE;7*hL?ZGZZcA6~P^GdyVB2f7V56BVT1Kkzrb z7lk;w2N>dXcTf?&yVeHBlL~y_ofnhc&ekkMg*8#h z*=WHlz8QCuI^7wB<#39y*ZV8yySbvY{0?FgC6q2P5#DnTYNnlf!fAzk&yQyx>3*B2 zw2(~kJ6$!{oUVJ_m%yW;>)6&Xduq3?3~Yq3w0@-k@TgM-T?&F!$$Z{@{!E1uxbgOE z<9maonBT0=evl$^aB#3YhNT5tZ1001Hn@RlKDev+%ttX(oq72s<8KG z+u#AdfVci^hAvf{_6`mnh;*hp$(GOAMVNM&z|tVU zWJ1HlH6ih@7B^Y-J?3L5u~+ZI&c-`L_OPXXr-1y?e0H=-NI>x3PINm+sc}(wv&$=w z)MrWjdFr=`=Y=iD-#1sV^$wMRiPlw<+yhT5-8N^W={zKMWqfxt>3xo;W^wQTxOu;c z1HJtrK7YUx!mcr|(c7oqQzt)-2UZfLf|L0x$xC-BNpvYmb=lL^ajdD>2;Qfkr$9af z%&I>Z^ZR%#y2NWMYi-iAkLcYZdxW6h=)eNDn9u9|_^vwin8%Ghpe*HR5&vim_kgk;!3|<^8(_!;(Zh*#8 z?9ob6b7>Zb*9KXi^Vkqr71y#y9f#Wlw=R3nIFFyYyQ`TRELPg{7_Zp4ks`vCKGYYLvNlL?mLZ%Rry z@)%|_cpkg{3y9D?M=Ds3yOfRGI!OJV8kDXDi-IRB^Ivn7%vxpEQZ2Gj_oIGvt9dgJ zQCc`R{w%{5c!PGv6uFJo+Oj9BU%d$DERz$S@n*+UlZdwbs98*6AVHhH>Je2GI3pGp z@6h~^5+9URFVTuGPy9#qplC48pwq3l+iK)b1-WmLB&v#Ry}+@b7DuUbvuV zYdM6m=tF_E%88ds``1-pY1qm{CBrm1+6@H-#_H>=bs#H?$D1vwWmP`Y?!UrdwE|#D zQ)O+99MQA2)~cO%i-z?Y)DB~O-2Hq2f+i6zzRkvCI5}NNFc54BsPo^~xAin+u9lEH zvg{&H{p4iqc^zJw+3K(-Q{^;k$=_W6I0|l?9CHweIB)>eA=3#F_T~d)=yVo5Di(%K zfM<7^0H0Ck_ffbElFz1C0ZrH9B{_z6%M*=vpei$+aF1T2efAj}9eY{2Vp#~x(iH10 zhmbcp+m?=@n2u99iP%5IZ?>Taz@H0ZCyOK=BaGc`ODXn{Do^$ws;Hh1hy%_hAPZkX zmrY~tsB3x_M7MuWjVj$n$}7tP&A>-N{ameG_(!O{aQos%G=YSN{Rw zecdK~QIDOua+3~;up>XbfqEK2XV^fBFg2gu$%b3YF^1I7{e{rMklgXk?XgC+ggC8B zfQ_?_l~rEd7)*cr7H`umjMBh+`;q8jm%aBd>it>2^X1`O%GXjv~Z zm$UC5-Qt8*NVoCUe0QBH^~Dyd7gE2zYeCzeX&8vxEnx zOb!YnQa=^*yK7aEH*k6+)Z~D9ZbZwvGxmpl;Jnxgt!}&{kV=%K&qj}&kk8RBF-N1a zCOD*#ZReh^7*dW>Wg&x_Ws<|#cxjnm6GxeVmcM56%k)sj#*y@qg(B=8P!igs4_*;t zq4>LuIJPuB%XmZM(f$5^u__0g8u&ly81U%d8594D92R{GX!T!|yIbN&Zfp_ zX>XS5^j#p}0ItzTeycDsF(IN3v~T0J(k@mFRx9aWXvvwdnn0MCAasFi+w-@`sFduy z3dd&HO4`fk4|vQPx`OL=CF-%0ZFoJS28qEfbIC8KAw6LZ!GalF%(H#6#hq6k-2*xW65hWHm(ja6e>yC{ zjET%tYv?Zwm(j^tXbn-fU=t=`mW=*n-ptfyM;pm^c&XBwf2LSPEs6czc5tuRofz?G zSly#s+D-S)DRlp5WA?A>c$dge_oYfVqyOyaAD#`b*G9o zi*(q+pjIqwS71!vi!k!R2+k?h?u`FL-j`Nl&Z?55!xhVgu+nt$o`GqGSKA&2S-fhV z+p7G1kN?B&g!gRI^T6*0RlV7X#zH3E%7O+!oE`|kaK3}92K`p;NU8$Ai{%>^ix`rx zR(@zz87XQ|2)>dSZrG(0o774ch7XeUYlGU_j5>Ie@m0cOm?};Ao6}7Z&s<&`yEm}y zf7h+fc}Hf!mx9W}G){m(nyRR>D%$81+I&T;Q~!1Uv9UR?%o9ZE$h-{3y~?axAOy}m zFQJ`ec2%nHEGpJ9yBADt?(iDMU*gA5NMJH?#J8{^!wzQA`v~iuaF@!2|2D@58RlD$ zqvO%Lg#~gbhq2`*F_(Vko#K=30t_Na^IhGo^0t0!R2kFwNSbKJih%G54_!ergqH+; z5p=d4Dl3T9^&bi{uI%caN#ih97UX&41hr9Z_TbeXNYp~McLZ};jYoSRCoOF|cu8e- z2ng;(1G3vR9hgPVeuP1LsDf5lH&)|ke4^!VV|o`4#o92Z_je1AhVFS$-fQb#iMFr_ zihX&toI!hqE4wyhS31T?3JLu3d}_6pc1I(dp(w1o$mmd?Bdesdr$K@k7akofTgToU zbA6I<{Z=1r+^*h#XcPtbdvjHi%-p2~dvioGSlip>F|sIKr)&z|qjIUIYKphC3Q9Kz zpB6MWi+5v88JbVl`G6aN2vXgsE}6`M4ma0lF4nJL4(N`04)~x8($vhHPqA~UEIs&g zfRE<+0;$j>No=D@|Ao!F8g&~a#s}>c%GQzpIx92E=K)Ceq+s!$a*^tnBPZ(a9Y9#` zznJvjBG-TF;s4ge{sS-mi&OZ|fMc8FEw3j1)cE*2grFr3i5|vDK2$eqBop&fQ1j*R z#Kgqmp@%F!=!gWT$0;D3;_rYdZ=sZKxkNjG-iSycoHB|t0d?i(&18w6hM=Y6c+G#Q z>c4*dx^)ROIF@b%{Yz5(mz4NFRQ0zPD!9f=FyJH*%HG4*h@+3^A28v+XkQ-=t5v_b z*JRh%e#}==*YCE?6BxQ0zKG&1-7sGKDhuByF`xzVKHPfdP}SeKGFK=IynQa z2g>pTVIerG%->lc$@V^EFPTzePOms&WBd&|GOrVoQnX}pp#4Hn2y$&~#GgpE_W`TU z{Ms{1er8m-(SR6D^;7L)nZxoVnf3DJ!wBqWW2(UGEQ{p0$n@SH2|Xa_cCPtQS;^>^ zxN?UHQJW~phC`=WNkYl{TXG&+pTej;IMpw0pY#YxrP2}x_*`dRh$X$_4bbMX;_O1x z2>5WR%zD60oKOk1F+V%`n))!|;B3->GSi6p>0@R`ReCE;mZUEp;XLzrzn>I-dWN3zvdTAIJtch0`pJ@!l=x2UB9;ms zHMShamn&a>;bQgV8g@-CKN0Pq0wfgNiLRDh+2DQkI}pLl{r85;J;o-JRXz;uto=V^7G?@SNrB3krc1E%l!ezO*XUD z3H@vx+DU4s_03GqP1h0xY)rT zlL+`L{&XkrKjTpUrCLmf@NaGYtI7W+#p6f}=;#irJLpfWOCq{%>0z*-ERb61Lq!;Z zvv9zmp@R;N3amh=EFl~pv`d*`M!rsc{U7;B|DUS-e?cJlbG476v|p)bfNX;;RcD81 zXCLqTZ35~&m_tAU^mtAq>0}Gtf~zEZE|IDi;a?T6X&Q8V31^QSMC~0NU1T^kOv0s1 z0NtI*iiT)_2}rgdi;6X zM*{(v&6C3@p>D;M6)O`F6=aG36l&b1Kr51Gnn2?4p_}r1QF%&Zx0GRxt;mR{RE&km zSu-PB!%Ct}9pMK+{*G8G?BJxCCu6?ZvBUYPNaBoR=7CjT^KW&qmt)!FLxHcUUkMcx z^LmgIO{&DFMwXLF>KqTpr6STvUh5B~wfqc3!kn$c>GtQKx8(vhSppZ2o6b zr37WJZQnO-9(Hh(4{5s1ubX0AH8V^gIOV7t+REzzwW(8k;qpNL^h7m=$EG>Aa@6Ui z8Pd5%HB7zLZxXNgd(lXd?4w{onjDGjRl}9?AaHl)sI0anK;L4m54>Hf0zJ_5jb%5` zTi-tTuS!ZZ)_cwr8Pzle3h~>3AJ8*720e}#><%`JmQof-n-yy%$Q~VhWD{-nXt^L< zM|sS_UB6Uo*DX4M+vD;SnY+hn=!baPS85RH;=cY$CiSp^$=kDT@<^gRS~|Mxq84Li z-fmd~%P!*i1DM4!L|@hS;!&qI<;O#YJmudOy9;#jV+yEKO@pigUo+KpFuq#*Q8`tU zcViRZSqfQUZw%Sh^O3bj?xf}@uuM8b#0ecXv3Hl_)%5*vfxYZSZ+x8Z5zMqvc%Z%@Nmym z$;+%ml2BH%J_xV;wTI|-R+k4Z%9Bps`Nq(E%(NB{JsWRoUm6rhZ=ew=Ls-35@HNb@ z_IQ;;7<=+&w6^wvP437j(~2>LaBS5|H~omhpu-(;iLlJZy9_=**#h8Aw%?prL79$r z{K%|Ylt(?jDztvmN8(Hb1X@-K{s$f1k}N9f)@I zVbjlFuEQXTAe2N28rRLWGd{ra>N7DPBwL!1lv#~)Tp~n|2ke=73qqr#QVt`{e>{#- zQM2~&2{7W)Nzvei-#R0Z^^TH6uIReMRovvd=Cqh;txb=2-ZBhSkP7d9Okz6A4|_>1 zO)T3kWL&3~?;-ytxA;_+^+UAV`wXxG4SSF5*b|W0fK@FE>jy=*)!B?up85(2xp+e{n+W;k`U*g;=&C82g3Qz02t#4 z>7P&r0K%PLTU%RCPP`p=9&kOVX!XIvU1xEZfpCIrwOGW%Zr~X2ZAo&dZ<6VTn(!`Jz5}AgI z6TN6STc;Y2ZlR2$sq@dfX{-_IERk=s9VPx%Z*QI07MZ%5pCq$W3w##HsH#9v})DL_q3{W zh__z;Hu4Ivc@=QaLZAqXD<^@+r-xPv#!a-?C#c!>SMO{fqV_vf{sT@kNvL174;$4& z)-y|6Ifbb`q+idE$e@^;}{1ah3iR zbNw=q7zE_5SdTwW$$G#~k1!k&NVDRpLGj(`eBl;h6aL`A{*r|X-;G(>Q;_2qWpnkq z_UJk$AZPSi7s`|Z{3wi10>TR>iyy9f2PS@c0`O1}*i8*N6ley!Y8gLS4`qJ(&XPF_ zwqF&sLhxzNiMO&38c<$zU`VFvFg{_ZJ4tJ8%j&F+te@Ml)YN{)n9Ss;Tz|9WhKXm9 zq5tta+;EguLFzx+9x`k5*o3R~LH3m9XhlE1#fCQ1wQjVFaX&4hyzKR02+St6HlBuH zD^Wm~LCtUU|HuH6u+9d{o;{&()0W~Q=dt0;vsKm}echerTy_d;tGJ{^Rppxd-h{ia zJJLrd@!Qw}5TkT)goNKWd4wbZe5~C7c+9A3!7WPTp0uBk8tXFPYu+VF&jwL;EHsI<5OQYG@T6S`XvM}$zqzx69 zXFbBjQ-S;lAt21F$E&p49o6vZVU{$^h7|K2TysK3lFy?7B+!Fznv1K~I!kF0y-2U~ zh^)T%_!Yb88IVY1Opu*@DH>_l^XpZ+S{9`tTW`whvTU}gyJ1(nosS_iueGvl!Z_}@ zDl|(LUcIxBTgjzW-a>A|2`$JJK8!9}FVAa@3jo57m~5<~B?FCaFG~%pbygfZfFNns zK;jK6esNvI8|@1s_m_?1J}Lk!fc^gM>i#?L3>WnKJLTgaumH5a=z@E65zrhAIq|zu X%uAZKOiTnk0=MQTT Config node, changing the "Server" name to start with `mqtts://`. + +#### Example + +**Valid Certificate Creation** + +THe easiest approach for this is to use [Let's Encrypt](). This is beyond the scopy of this article but there are plenty of examples and tutorials available on the Internet. For this to work successfully, you also need to be able to use a registered domain name on your internal network because you cannot use Let's Encrypt with IP addresses or non-public domain names. + +Alternatively, you can create a self-signed set of certificates. Again, this is beyond the scope of the article. However, you may need to create a trusted root certificate and provide its public cert instead of the one that Debian provides that is listed in the configuration below. + +**Mosquitto configuration** + +This assumes that you are using Let's Encrypt or other certificates signed by a root CA already trusted by the Debian operating system. + +Note the entries in `<...>` which need to be replaced with your own folders and files. + +This goes into a file of any name of the form `*.config` in the folder `/etc/mosquitto/conf.d/`. So you have to edit it with root privalages (e.g. using `sudo`). + +{{ page.lcb }}% raw %} +~~~text +# Default Listener: 1883 +port 1883 +# Bind the default listener to localhost only if you want to force external connections to be TLS only +#bind_address localhost + +# Secure listener +listener 8883 +# TLS +## This is standard and should always be this when using Let's Encrypt +## If using a self-signed certificate, this needs to be your custom Root CA public certificate +cafile /etc/ssl/certs/DST_Root_CA_X3.pem +## These are from your installation of LE +certfile //.cer +keyfile //.key +## Forces use of modern version of TLS to avoid security issues +tls_version tlsv1.2 + +## Forces ALL CLIENTs to provide a valid certificate - change the node config to allow this from NR +#require_certificate true +~~~ +{: .shell} +{{ page.lcb }}% endraw %} + +After making these changes, you have to restart the mosquitto broker using the command: + +~~~text +[~]$ sudo systemctl restart mosquitto +~~~ +{: .shell} + +**MQTT Config node configuration** + +![](/images/mqtt/tls-connect-1.png) + +Notes + +* You need to use the IP name rather than IP address in the server name if using Let's Encrypt (otherwise the certificate isn't valid). +* You need to change the server name to a url, prefixed with `mqtts://`. This disables the port field, I change that first to `8883` to remind me what the correct port will be. +* You **do not** need to set the "Enable secure connection" flag. That lets you authenticate the Node-RED client connection to the broker (if you set the require_certificate to true for example). + +### Discussion + +Mosquitto allows you to create multiple ports for connectivity. This lets you use websockets and TLS encrypted connections in addition to the default connection. + +The folder `/etc/mosquitto/conf.d/` can contain any number of config files which will all be applied so that you can split your custom changes into separate files if you like. + +Just remember that once you use a custom file to set ports, the default port (1883) is no longer active so you have to specify that as well. The standard port for MQTT over TLS (MQTTS) is 8883. You can, however, use other ports if they are not in use. Make sure you use a port number greater than 1024 otherwise everything that wants to use that port has to have root privalages. + +You can check which ports the broker has opened with the command: + +~~~text +[~]$ sudo netstat -lptu | grep mosquitto +tcp 0 0 0.0.0.0:8883 0.0.0.0:* LISTEN 17697/mosquitto +tcp 0 0 0.0.0.0:1883 0.0.0.0:* LISTEN 17697/mosquitto +tcp6 0 0 [::]:8883 [::]:* LISTEN 17697/mosquitto +tcp6 0 0 [::]:1883 [::]:* LISTEN 17697/mosquitto +~~~ +{: .shell} + +You can test whether the server device is allowing connections on a port by using telnet from another device. + +~~~text +[~]$ telnet 8883 +~~~ +{: .shell} + +If the connection opens, then the target device is accepting connections on that port. + +Note that the operating system automatically opens the required ports through the devices firewall. + +If you want to monitor what the broker is doing, including seeing which clients connect to which ports, use the following command: + +~~~text +[~]$ sudo tail /var/log/mosquitto/mosquitto.log -f +~~~ +{: .shell} + From 2b3bfcb48bad69c69e5b4367872df574989a7ee6 Mon Sep 17 00:00:00 2001 From: Julian Knight Date: Sat, 9 Nov 2019 16:09:47 +0000 Subject: [PATCH 02/11] Correct title --- mqtt/tls-connect-to-broker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mqtt/tls-connect-to-broker.md b/mqtt/tls-connect-to-broker.md index 99639bd..930932b 100644 --- a/mqtt/tls-connect-to-broker.md +++ b/mqtt/tls-connect-to-broker.md @@ -1,6 +1,6 @@ --- layout: default -title: A short (<10 words) summary of the task addressed +title: Connect to an MQTT broker with TLS encryption slug: - label: mqtt url: /#mqtt From cc36a4e6ae2f7b6651861a7a30c89b61b74be65b Mon Sep 17 00:00:00 2001 From: Julian Knight Date: Fri, 15 Nov 2019 18:04:41 +0000 Subject: [PATCH 03/11] Added link to LE, corrected "scopy" typo --- mqtt/tls-connect-to-broker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mqtt/tls-connect-to-broker.md b/mqtt/tls-connect-to-broker.md index 930932b..16104b7 100644 --- a/mqtt/tls-connect-to-broker.md +++ b/mqtt/tls-connect-to-broker.md @@ -23,7 +23,7 @@ Alter the MQTT Config node, changing the "Server" name **Valid Certificate Creation** -THe easiest approach for this is to use [Let's Encrypt](). This is beyond the scopy of this article but there are plenty of examples and tutorials available on the Internet. For this to work successfully, you also need to be able to use a registered domain name on your internal network because you cannot use Let's Encrypt with IP addresses or non-public domain names. +THe easiest approach for this is to use [Let's Encrypt](https://letsencrypt.org/getting-started/). This is beyond the scope of this article but there are plenty of examples and tutorials available on the Internet. For this to work successfully, you also need to be able to use a registered domain name on your internal network because you cannot use Let's Encrypt with IP addresses or non-public domain names. Alternatively, you can create a self-signed set of certificates. Again, this is beyond the scope of the article. However, you may need to create a trusted root certificate and provide its public cert instead of the one that Debian provides that is listed in the configuration below. From 868ea845c7184b2eee228db7fffb6a66d282e8f6 Mon Sep 17 00:00:00 2001 From: Julian Knight Date: Fri, 15 Nov 2019 18:06:12 +0000 Subject: [PATCH 04/11] change *.config to *.conf, thanks to Paul Reed --- mqtt/tls-connect-to-broker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mqtt/tls-connect-to-broker.md b/mqtt/tls-connect-to-broker.md index 16104b7..c4decba 100644 --- a/mqtt/tls-connect-to-broker.md +++ b/mqtt/tls-connect-to-broker.md @@ -33,7 +33,7 @@ This assumes that you are using Let's Encrypt or other certificates signed by a Note the entries in `<...>` which need to be replaced with your own folders and files. -This goes into a file of any name of the form `*.config` in the folder `/etc/mosquitto/conf.d/`. So you have to edit it with root privalages (e.g. using `sudo`). +This goes into a file of any name of the form `*.conf` in the folder `/etc/mosquitto/conf.d/`. So you have to edit it with root privalages (e.g. using `sudo`). {{ page.lcb }}% raw %} ~~~text From b8a04f110c0ab4986705dbe5cd58aa2423e632bd Mon Sep 17 00:00:00 2001 From: Julian Knight Date: Fri, 15 Nov 2019 18:07:53 +0000 Subject: [PATCH 05/11] Clarify TLS1.2 applies to specific port, thanks to Paul Reed. --- mqtt/tls-connect-to-broker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mqtt/tls-connect-to-broker.md b/mqtt/tls-connect-to-broker.md index c4decba..064e52f 100644 --- a/mqtt/tls-connect-to-broker.md +++ b/mqtt/tls-connect-to-broker.md @@ -54,7 +54,7 @@ keyfile //.key ## Forces use of modern version of TLS to avoid security issues tls_version tlsv1.2 -## Forces ALL CLIENTs to provide a valid certificate - change the node config to allow this from NR +## Forces ALL CLIENTs using this port to provide a valid certificate - change the node config to allow this from NR #require_certificate true ~~~ {: .shell} From 62695b397d9ac4f1a8d19b822bd76b29cc2224b3 Mon Sep 17 00:00:00 2001 From: Julian Knight Date: Fri, 15 Nov 2019 18:11:04 +0000 Subject: [PATCH 06/11] Improve wording on enable secure connection flag - suggestion from Paul Reed. --- mqtt/tls-connect-to-broker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mqtt/tls-connect-to-broker.md b/mqtt/tls-connect-to-broker.md index 064e52f..082cdcc 100644 --- a/mqtt/tls-connect-to-broker.md +++ b/mqtt/tls-connect-to-broker.md @@ -75,7 +75,7 @@ Notes * You need to use the IP name rather than IP address in the server name if using Let's Encrypt (otherwise the certificate isn't valid). * You need to change the server name to a url, prefixed with `mqtts://`. This disables the port field, I change that first to `8883` to remind me what the correct port will be. -* You **do not** need to set the "Enable secure connection" flag. That lets you authenticate the Node-RED client connection to the broker (if you set the require_certificate to true for example). +* You **do not** need to set the "Enable secure connection" flag unless you want to authenticate the Node-RED client to the broker (if you set the require_certificate to true for example). ### Discussion From 071e65c43259bba9dd17171c9073380ae07b186b Mon Sep 17 00:00:00 2001 From: Julian Knight Date: Fri, 15 Nov 2019 18:14:07 +0000 Subject: [PATCH 07/11] Add note about secure connection flag impacting cert chain verification. --- mqtt/tls-connect-to-broker.md | 1 + 1 file changed, 1 insertion(+) diff --git a/mqtt/tls-connect-to-broker.md b/mqtt/tls-connect-to-broker.md index 082cdcc..a1edff1 100644 --- a/mqtt/tls-connect-to-broker.md +++ b/mqtt/tls-connect-to-broker.md @@ -76,6 +76,7 @@ Notes * You need to use the IP name rather than IP address in the server name if using Let's Encrypt (otherwise the certificate isn't valid). * You need to change the server name to a url, prefixed with `mqtts://`. This disables the port field, I change that first to `8883` to remind me what the correct port will be. * You **do not** need to set the "Enable secure connection" flag unless you want to authenticate the Node-RED client to the broker (if you set the require_certificate to true for example). +* If you do not set the "Enable secure connection" flag however, the node will not validate the certificate chain. ### Discussion From 24aa2021385b8a7a1a43473a7b4e5a7afdfff107 Mon Sep 17 00:00:00 2001 From: Julian Knight Date: Fri, 15 Nov 2019 18:18:42 +0000 Subject: [PATCH 08/11] clarify configuration locations --- mqtt/tls-connect-to-broker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mqtt/tls-connect-to-broker.md b/mqtt/tls-connect-to-broker.md index a1edff1..334e79d 100644 --- a/mqtt/tls-connect-to-broker.md +++ b/mqtt/tls-connect-to-broker.md @@ -33,7 +33,7 @@ This assumes that you are using Let's Encrypt or other certificates signed by a Note the entries in `<...>` which need to be replaced with your own folders and files. -This goes into a file of any name of the form `*.conf` in the folder `/etc/mosquitto/conf.d/`. So you have to edit it with root privalages (e.g. using `sudo`). +For Linux installations, this goes into a file of any name of the form `*.conf` in the folder `/etc/mosquitto/conf.d/`. So you have to edit it with root privalages (e.g. using `sudo`). On other platforms, please refer to the [Mosquitto configuration documentation](https://mosquitto.org/man/mosquitto-8.html). {{ page.lcb }}% raw %} ~~~text From 25f5c5dcfdedcec7831c962294a78469edd2eebf Mon Sep 17 00:00:00 2001 From: Julian Knight Date: Fri, 15 Nov 2019 18:26:25 +0000 Subject: [PATCH 09/11] clarify restart options --- mqtt/tls-connect-to-broker.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/mqtt/tls-connect-to-broker.md b/mqtt/tls-connect-to-broker.md index 334e79d..27fa959 100644 --- a/mqtt/tls-connect-to-broker.md +++ b/mqtt/tls-connect-to-broker.md @@ -60,13 +60,15 @@ tls_version tlsv1.2 {: .shell} {{ page.lcb }}% endraw %} -After making these changes, you have to restart the mosquitto broker using the command: +After making these changes, you have to restart the mosquitto broker. On Linux, you can usr the command: ~~~text [~]$ sudo systemctl restart mosquitto ~~~ {: .shell} +Other platforms, including Docker-based installations may be different. + **MQTT Config node configuration** ![](/images/mqtt/tls-connect-1.png) From e73019e44c22d74ad7bb5fa9f2b0571872523ab1 Mon Sep 17 00:00:00 2001 From: Julian Knight Date: Fri, 15 Nov 2019 18:28:29 +0000 Subject: [PATCH 10/11] clarify how to change from the default port --- mqtt/tls-connect-to-broker.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/mqtt/tls-connect-to-broker.md b/mqtt/tls-connect-to-broker.md index 27fa959..e18ddc0 100644 --- a/mqtt/tls-connect-to-broker.md +++ b/mqtt/tls-connect-to-broker.md @@ -76,7 +76,16 @@ Other platforms, including Docker-based installations may be different. Notes * You need to use the IP name rather than IP address in the server name if using Let's Encrypt (otherwise the certificate isn't valid). -* You need to change the server name to a url, prefixed with `mqtts://`. This disables the port field, I change that first to `8883` to remind me what the correct port will be. +* You need to change the server name to a url, prefixed with `mqtts://`. + + This disables the port field, I change that first to `8883` to remind me what the correct port will be. + + If you need to change the port to something other than the default, include it on the URL: + + ``` + mqtts://broker.domain.tld:9999 + ``` + * You **do not** need to set the "Enable secure connection" flag unless you want to authenticate the Node-RED client to the broker (if you set the require_certificate to true for example). * If you do not set the "Enable secure connection" flag however, the node will not validate the certificate chain. From 7db38b888716fea553fd7faa0b44dd438f82e897 Mon Sep 17 00:00:00 2001 From: Julian Knight Date: Fri, 15 Nov 2019 18:33:32 +0000 Subject: [PATCH 11/11] clarify port usage --- mqtt/tls-connect-to-broker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mqtt/tls-connect-to-broker.md b/mqtt/tls-connect-to-broker.md index e18ddc0..750d3f9 100644 --- a/mqtt/tls-connect-to-broker.md +++ b/mqtt/tls-connect-to-broker.md @@ -95,7 +95,7 @@ Mosquitto allows you to create multiple ports for connectivity. This lets you us The folder `/etc/mosquitto/conf.d/` can contain any number of config files which will all be applied so that you can split your custom changes into separate files if you like. -Just remember that once you use a custom file to set ports, the default port (1883) is no longer active so you have to specify that as well. The standard port for MQTT over TLS (MQTTS) is 8883. You can, however, use other ports if they are not in use. Make sure you use a port number greater than 1024 otherwise everything that wants to use that port has to have root privalages. +Just remember that once you use a custom file to set ports, the default port (1883) is no longer active so you have to specify that as well if you still want it to be active. The standard port for MQTT over TLS (MQTTS) is 8883. You can, however, use other ports if they are not in use. Make sure you use a port number greater than 1024 otherwise the broker must be run with root privalages which is not recommended for security reasons. You can check which ports the broker has opened with the command: