问题描述
我有一个树莓派3,它具有树莓派拉伸功能.我已按照本教程在树莓派上安装并完全配置了MQTT代理: https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-the-mosquitto-mqtt -messaging-broker-on-ubuntu-16-04 一切都很好,在经纪人方面也很好.证书将在60天后更新,并且您只能通过localhost连接到端口1883,而其他端口(8883和8083)处于打开状态,但只能使用TLS 1.2版进行访问,对于后者,也可以使用websockets进行访问.在下面,您可以找到我的mosquitto配置代码(/etc/mosquitto/conf.d/default.conf).
I have a raspberry pi 3 with raspbian stretch as its operating system. I have installed and fully configured a MQTT broker on the raspberry pi following this tutorial: https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-the-mosquitto-mqtt-messaging-broker-on-ubuntu-16-04Everything works fine and well on the broker's side. The certificates get renewed after 60 days and you can only connect to port 1883 via the localhost and the other ports (8883 and 8083) are open but can only be accessed using TLS version 1.2 and for the latter also using websockets. Below you can find the code of my configuration of mosquitto (/etc/mosquitto/conf.d/default.conf).
allow_anonymous false
password_file /etc/mosquitto/passwd
listener 1883 localhost
listener 8883
certfile /etc/letsencrypt/live/home.kamidesigns.be/cert.pem
cafile /etc/letsencrypt/live/home.kamidesigns.be/chain.pem
keyfile /etc/letsencrypt/live/home.kamidesigns.be/privkey.pem
tls_version tlsv1.2
listener 8083
protocol websockets
certfile /etc/letsencrypt/live/home.kamidesigns.be/cert.pem
cafile /etc/letsencrypt/live/home.kamidesigns.be/chain.pem
keyfile /etc/letsencrypt/live/home.kamidesigns.be/privkey.pem
tls_version tlsv1.2
我还购买了ESP8266 Wemos D1 Mini,以安全的方式连接到该代理.我通过以下链接使用了pubsubclient库:https://github.com/knolleary/pubsubclient用于我的MQTT客户端.我使用此链接的主分支: https://github.com/esp8266/Arduino 安全的SSL连接.在下面,您会看到我用于编写Wemos D1 Mini的代码
I also bought a ESP8266 Wemos D1 Mini to connect to this broker in a secure way. I used the pubsubclient library from this link: https: //github.com/knolleary/pubsubclient for my MQTT client.I use the master branch of this link: https://github.com/esp8266/Arduino for my secure SSL connection. Below you see the code I used for programming my Wemos D1 Mini
#include <ESP8266WiFi.h>
#include <PubSubClient.h>
#include <time.h>
void callback(char* topic, byte* payload, unsigned int length) {
Serial.print("Message arrived [");
Serial.print(topic);
Serial.print("] ");
for (int i = 0; i < length; i++) {
Serial.print((char)payload[i]);
}
Serial.println();
}
const char* ssid = "ssid";
const char* password = "wifipassword";
const char* host = "home.kamidesigns.be";
const int port = 8883;
WiFiClientSecure espClient;
PubSubClient client(host, port, callback, espClient);
long lastMsg = 0;
char msg[50];
int value = 0;
void setup() {
Serial.begin(115200);
Serial.println();
Serial.print("connecting to ");
Serial.println(ssid);
WiFi.begin(ssid, password);
while (WiFi.status() != WL_CONNECTED) {
delay(500);
Serial.print(".");
}
Serial.println("");
Serial.println("WiFi connected");
Serial.println("IP address: ");
Serial.println(WiFi.localIP());
// Synchronize time useing SNTP. This is necessary to verify that
// the TLS certificates offered by the server are currently valid.
Serial.print("Setting time using SNTP");
configTime(8 * 3600, 0, "pool.ntp.org", "time.nist.gov");
time_t now = time(nullptr);
while (now < 1000) {
delay(500);
Serial.print(".");
now = time(nullptr);
}
Serial.println("");
struct tm timeinfo;
gmtime_r(&now, &timeinfo);
Serial.print("Current time: ");
Serial.print(asctime(&timeinfo));
}
void reconnect() {
// Loop until we're reconnected
while (!client.connected()) {
Serial.print("Attempting MQTT connection...");
// Attempt to connect
if (client.connect("ESP8266LightController","username","password")) {
Serial.println("connected");
// Once connected, publish an announcement...
client.publish("outTopic", "hello world");
// ... and resubscribe
client.subscribe("inTopic");
} else {
Serial.print("failed, rc=");
Serial.print(client.state());
Serial.println(" try again in 5 seconds");
// Wait 5 seconds before retrying
delay(5000);
}
}
}
启动Wemos D1时,串行监视器显示:连接到ssid..WiFi已连接IP地址:192.168.0.213使用SNTP设置时间.当前时间:2017年10月14日星期六02:26:25正在尝试建立MQTT连接...已连接
When I start my Wemos D1, the serial monitor says:connecting to ssid..WiFi connectedIP address: 192.168.0.213Setting time using SNTP.Current time: Sat Oct 14 02:26:25 2017Attempting MQTT connection...connected
这很好,这正是我想要的,但是我对Wemos D1在不验证服务器证书链的情况下如何能够连接到端口8883感到困惑.请记住,我从未将证书上传到Wemos D1或在代码中实现证书,但它仍然可以连接.
This is good and it is exactly what I wanted but I'm confused by how my Wemos D1 is able to connect to port 8883 without it verifying the certificate chain of the server? Remember that I never uploaded a certificate to the Wemos D1 or implemented a certificate into the code, and still it can connect.
推荐答案
2个选项之一
- WiFiClientSecure包含公共CA证书列表,并正在根据该列表验证您的证书
- 默认情况下,WiFiClientSecure默认不验证远程证书.
查看此问题,这似乎表明选项2最有可能连接后,您必须自己验证证书.
Looking at this issue it looks like option 2 is most likely as it implies you have to verify the cert yourself after the connection.
这篇关于使用MQTT代理在ESP8266 Wemos D1 Mini上进行SSL证书验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!