Open nwf opened 5 years ago
I think this requires some quality time with @timparenti; kgb.club.cc.cmu.edu
requires upgrading from jessie
to stretch
and then liberal application of something like https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-debian-9 .
I have done a little bit of prototyping at home and have ensured that, at least in one instance, it will work to move the devices to SSL MQTT. They'll need the new firmware I've got, but that's all manageable.
Well, LE got deployed but I didn't make it ECC. I should probably redo that.
ETA: Certbot doesn't understand ECDSA keys yet (@#@&&@&#) and since the devices can tolerate the resulting RSA keys instead, let's just use those.
The next build of cmukgb/ctfws-timer-android will have SSL enabled by default and, currently, the "third" timer device does as well. I'm loathe to roll it out to all of them without another round of checking that it's all good.
Amusingly, TIL that mosquitto cannot seamlessly reload its TLS certificates. What a pile. Anyway, the upshot is that we should probably check that certs are up to date before the game actually happens. Some mechanism of testing and notifying the judges may be in order or at least a point added to the pre-flight checklist. It irritates the #@#*@&^#(@ out of me that nobody does TLS correctly.
@timparenti This may be of note to you for other deployments as well.
XREF eclipse/mosquitto#524
ETA: easy command-line testing:
openssl s_client -connect ctfws-mqtt.cmukgb.org:8883 </dev/null 2>/dev/null | openssl x509 -noout -dates
Not really an issue with this repository, per se, but it belongs somewhere and here seems like a good enough place.
We should do what the title says: deploy TLS for the MQTT broker, at least in parallel with unencrypted connectivity. Ideally, we'd be using ECC keys so that the crypto's light enough for the IoT devices to join in. Using LetsEncrypt and ACME is an easy way to do this on an automated basis, since the MQTT broker is also a web server.
There are at least two reasons to want to do this: