Deploy LetsEncrypt-backed ECC TLS for MQTT broker

cmukgb / ctfws-timer-host

Server- and protocol-side CtFwS details; autonomic daemons for metadata

0 stars 1 forks source link

Deploy LetsEncrypt-backed ECC TLS for MQTT broker #1

Open nwf opened 5 years ago

nwf commented 5 years ago

Not really an issue with this repository, per se, but it belongs somewhere and here seems like a good enough place.

We should do what the title says: deploy TLS for the MQTT broker, at least in parallel with unencrypted connectivity. Ideally, we'd be using ECC keys so that the crypto's light enough for the IoT devices to join in. Using LetsEncrypt and ACME is an easy way to do this on an automated basis, since the MQTT broker is also a web server.

There are at least two reasons to want to do this:

We send passwords over the wire, and it'd be nice if they were under seal.
We tell devices to download from arbitrary URLs; it'd be nice if those were not subject to tampering on the wire by a MITM.

nwf commented 5 years ago

I think this requires some quality time with @timparenti; kgb.club.cc.cmu.edu requires upgrading from jessie to stretch and then liberal application of something like https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-debian-9 .

nwf commented 5 years ago

I have done a little bit of prototyping at home and have ensured that, at least in one instance, it will work to move the devices to SSL MQTT. They'll need the new firmware I've got, but that's all manageable.

nwf commented 5 years ago

Well, LE got deployed but I didn't make it ECC. I should probably redo that.

ETA: Certbot doesn't understand ECDSA keys yet (@#@&&@&#) and since the devices can tolerate the resulting RSA keys instead, let's just use those.

The next build of cmukgb/ctfws-timer-android will have SSL enabled by default and, currently, the "third" timer device does as well. I'm loathe to roll it out to all of them without another round of checking that it's all good.

nwf commented 4 years ago

Amusingly, TIL that mosquitto cannot seamlessly reload its TLS certificates. What a pile. Anyway, the upshot is that we should probably check that certs are up to date before the game actually happens. Some mechanism of testing and notifying the judges may be in order or at least a point added to the pre-flight checklist. It irritates the #@#*@&^#(@ out of me that nobody does TLS correctly.

@timparenti This may be of note to you for other deployments as well.

XREF eclipse/mosquitto#524

ETA: easy command-line testing:

openssl s_client -connect ctfws-mqtt.cmukgb.org:8883 </dev/null 2>/dev/null | openssl x509 -noout -dates