MQTT Security & ACLIn-Depth for Mosquitto

Eric HankinsonSoftware/Embedded/DevOps

#AboutEric• Member of LeanDog’s Design & Delivery Studio• 18 years in IT - Sys Admin, Programming & Embedded• XP in Automotive, Banking, Finance, E-Learning, and

many others industries• Spare time learning is Electrical & Mechanical

Engineering. Why? Robots!• Twitter: @kumichou Blog: erichankinson.com

The Thing

The Problem Domain• Give students experience building an IoT

“device” with Mobile, Web & Infrastructure too!• Authenticate Users & Devices• Authorize Topic Pub/Sub from Users &

Devices• Single source of truth for user accounts

The Parts…• Web App• Mobile App• Lampi device• Multiple Mosquitto Brokers• Multiple MQTT Client Services

Django Web App• Host web interface for controlling devices• Manage authentication & authorization of

Users and Devices

Mosquitto MQTT Brokers• Brokers in both the Cloud & on each

device• Cloud broker has the CRL• Cloud broker serves up MQTT traffic over

Web Sockets• Device broker manages multi-client traffic

mosquitto auth plug• Provides a multi-provider backed way to

provide Authentication & Authorization of MQTT messaging

Auth Calls from Mosquitto• REST calls from Mosquitto Auth Plug have

to be answered with HTTP Response Code of 200 or 403

#lolwhut

Bridging the Brokers

Using TLS for Authentication• Using internal CA to generate Certs for

each broker• Must have common Root CA• Cert must not appear in CRL• Configuration can be confusing the first

time…

TLS Endpoint on the Cloud

Lampi Broker Connection• Now Lampi needs to be able to Authenticate

itself via TLS certificate chain• Mosquitto checks you at the door, no valid TLS

cert, no entry!• Used the MAC Address of Lampi as the

Common Name in the TLS Cert. Helpful later• OpenSSL errors are so not helpful…

Lampi TLS Bridge to Cloud

Configuring the Auth plug

Django App Routing• Some routes were configured to only

answer on loopback device• This could be done in Nginx (web server)

or via Python code

Auth plug Configuration

What about Web Sockets?

Mosquitto Web Sockets

Why Reuse the Mosquitto Cert?• It was for convenience• LetsEncrypt wasn’t ready yet• Use the same TLS Cert for Nginx Web

proxy with Web Sockets configuration

Web Sockets Authentication• We needed a simple way to identify a

Django user through the Mosquito connection

• Settled on using the Django Auth Token UUID as the username for the Auth & Pub/Sub calls

Auth Calls from Mosquitto• REST calls from Mosquitto Auth Plug have

to be answered with HTTP Response Code of 200 or 403

Django Auth Responses• Leveraged model of User to Device to

determine if a User had specific access to Pub/Sub specific topics for their devices only

• Mosquitto only does ACL check(s) when a message is published, not on initial client connection!

Just scratching the surface!

Debugging Headache

ERIC HANKINSON@kumichou erichankinson.com leandog.com