How to run with TLS?

[gdhgdhgdh]

Hello :)

Thank you for this software - is there a way to connect to port 8883 and present a client-side TLS certificate when running VMQ load tests?

I can see that the connect state is linked to that record in vmq_commons : https://github.com/erlio/vmq_commons/blob/master/src/gen_emqtt.erl#L53-L75 and I see the ssl:socket as a type of sock but I don't get how I can bring a TLS client certificate into the mix :/

[ioolkos]

Hi @gdhgdhgdh! Thanks for asking. I basically still owe an answer to this... see https://github.com/erlio/vmq_mzbench/issues/5#issuecomment-279728820 Maybe this helps to get you started, but the main problem is how to load the client certs into the MZBench workers. (I could probably upload the prepared cert files for our test certs, if you're interested)

[gdhgdhgdh]

Thank you :) Ahh I did read through many Github issues and didn't see that one ....

Yes please if you could upload the test certs, then hopefully there will be a clue in there as to how I can reformat our own certs. I knew the transport was the key, but had no idea how to specify the multiple cert files....

[Stasik0]

@ioolkos @gdhgdhgdh anyone got luck with tls? I try to connect to hivemq without certificates atm, so setting transport=t(ssl, [t(verify, "verify_none")]) but no connection is possible...

[gdhgdhgdh]

I haven't used vernemq or the vmq_mzbench since mid 2017, but here's what scrappy info I kept...

The `.erl` files for TLS keys can be created using something like this inside the `erl` shell:

{ok, File} = file:read_file('/path/to/admin.crt').
rp(public_key:pem_decode(File)).

You should end up with output like this that you can put into a .erl file:

<<48,130,3,57,48,130,2,33,160,3,2,1,2,2,1,
                  4,48,13,6,9,42,134,72,134,247,13,1,1,11,
                  5,0,48,22,49,20,48,18,6,3,85,4,3,12,11,
                  69,97,115,121,45,82,83,65,32,67,65,48,
[.........]

or

{'RSAPrivateKey',<<48,130,4,165,2,1,0,2,130,1,1,0,218,
                    163,26,215,182,245,155,59,173,61,26,
                    34,47,249,29,102,117,131,149,0,79,207,
                    252,52,74,161,89,63,116,32,254,80,98,
                    105,31,58,104,89,171,45,129,226,110,

and then use a bench descrption like:

#!benchDL

make_install(git = "https://github.com/gdhgdhgdh/vmq_mzbench.git", branch = "refs/heads/master")

include_resource(cacertsfile1, "ca.erl", erlang)
include_resource(certfile1, "admin.erl", erlang)
include_resource(keyfile1, "admin-priv.erl", erlang)

pool(size = 1,
     worker_type = mqtt_worker):

            connect([t(host, "xxxxxxxxxxxxxxxx.eu-west-2.elb.amazonaws.com"),
                    t(port,8883),
                    t(client,"subscriber1"),
                    t(clean_session,true),
                    t(keepalive_interval,60),
                    t(proto_version,4), t(reconnect_timeout,4),
                    t(transport,
                      t(ssl, [
                        t(reuse_sessions, false),
                        t(cacerts, resource(cacertsfile1)),
                        t(cert,resource(certfile1)),
                        t(key, resource(keyfile1))]
                      ))
                    ])
            wait(1 sec)
            subscribe("loadtest/clients/#", 1)

Hope that helps!

[Stasik0]

@gdhgdhgdh public_key:pem_decode(File). gives me just "[], hmmm...

[Stasik0]

@gdhgdhgdh

i got it somehow running just by including vertificates from gist (also allows to use web-based ui)

include_resource(cacertsfile, "https://gist.githubusercontent.com/ioolkos/1e6e0107b961caf910a0deb61a7e4a23/raw/041e3c747d75880d0811409c0955ee3f1bfc0784/erlang_ca.erl", erlang) include_resource(certfile, "https://gist.githubusercontent.com/ioolkos/1e6e0107b961caf910a0deb61a7e4a23/raw/041e3c747d75880d0811409c0955ee3f1bfc0784/erlang_client_cert.erl", erlang) include_resource(keyfile, "https://gist.githubusercontent.com/ioolkos/1e6e0107b961caf910a0deb61a7e4a23/raw/041e3c747d75880d0811409c0955ee3f1bfc0784/erlang_client_key.erl", erlang