mqtt-lib: encryption

[sekyHC]

We need to find a way to encrypt this communication. Both mosquitto broker and esp are supporting SSL, but we need to find something that can work on arduino uno and mega with ethernet shields also. If not for W5100 then at least for W5500

[sekyHC]

http://ardiri.com/blog/utls_defining_lightweight_security_for_iot_part_8 http://riotsecure.se/microTLS/

[sekyHC]

good reads: http://www.steves-internet-guide.com/mosquitto-tls/ http://www.steves-internet-guide.com/ssl-certificates-explained/ https://mosquitto.org/man/mosquitto-conf-5.html http://www.steves-internet-guide.com/mqtt-security-mechanisms/ https://crypto.stackexchange.com/questions/9089/how-does-https-key-get-shared

[sekyHC]

mosquitto conf:

allow_anonymous false
password_file /etc/mosquitto/conf.d/passwd
port 8883
psk_hint Hint
psk_file /etc/mosquitto/conf.d/psk
use_identity_as_username false
log_type all

psk:

ime:123abc

passwd:

hc_magic

test with:

mosquitto_sub -t test -p 8883 -u hc --pw magic --psk-identity ime --psk 123abc
mosquitto_pub -t test -m test -p 8883 -u hc --pw magic --psk-identity ime --psk 123ABC 

[sekyHC]

https://github.com/esp8266/Arduino/blob/master/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino

[sekyHC]

for full ssl encrpytion all we need to do is: change:

WiFiClient

to

WiFiClientSecure

and in mosquitto conf:

port 8883
use_username_as_clientid false
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt

and generate keys and certs as per: http://www.steves-internet-guide.com/mosquitto-tls/