0

Let me first explain what I am trying to achieve first and then I'll get into the details of the things I have tried already.

So, we have a VM that is on our premise and another VM that is on a customer's premise. The access to these VMs are only available to certain IP addresses. So, we could say that they are secure enough for our use-case.

Data from customer's environment flows through and into our VM through a mosquitto broker that is set-up on both these environments. This is done with the help of broker bridging that works fine. However, since this bridge is over the internet, we want to ensure that the data is encrypted and that no-one could intercept this over the internet and use this data in a malicious manner.

To achieve this we are making the use of SSL broker encryption. The first method I tried is to use PKS encryption method.

Here is the broker config at the customer environment.

listener 8883
connection bridgetest
address 147.1.20.1:8883
bridge_identity bridge1
bridge_psk 123456789
topic # both

And here is the broker config at our environment.

listener 8883 
psk_hint SAAS Deployments
psk_file c:\DemoCompany\psk_file.txt

The contents of the psk_file.txt are very simple and same as the bridge identity and the bridge_psk provided in the config of customer environment.

The problem I am facing here is that even though I change the bridge_identity or the bridge_psk at customer's environment to something that is not in the psk_file.txt, I am still able to connect the 2 brokers over the bridge. My understanding of this was that if I change the bridge_psk to some random hex code, the connection should get rejected. But that doesn't seem to happen. Am I doing something wrong or missing something over here?

Starlord
  • 13
  • 3

1 Answers1

0

The following config files work for me with v2.0.9 builds shipped from the mosquitto PPA on Ubuntu

Client broker:

listener 1889

connection bridge
address 127.0.0.1:1890
bridge_identity bridge1
bridge_psk 123456789987654321
topic # both 0

Bridge broker

listener 1890
psk_hint my test bridge
psk_file /temp/psk/psk_file.txt
use_identity_as_username true

The use_identity_as_username is required as from Mosquitto v2 onward allow_anonymous defaults to false

hardillb
  • 54,545
  • 11
  • 67
  • 105
  • Thank you for your response. I will try this out and update over here soon. – Starlord Mar 27 '21 at 16:23
  • Also, my configuration is a mosquitto broker version 3.1.1 on Windows 10 – Starlord Mar 27 '21 at 16:24
  • Your version number is wrong, 3.1.1 is the MQTT protocol spec version. v2.0.9 is the latest available version from eclipse.org – hardillb Mar 27 '21 at 16:35
  • Yes. This worked for me. For some reason, getting this to work on port 8883 still seems to be very troublesome. But on port 1890, it worked like a charm. – Starlord Mar 27 '21 at 16:36
  • Hi. I have another doubt. If I add more users to the psk_file.txt on my broker(server), how do I reload this file without having to restart my mosquitto broker? My main aim is to avoid disrupting all the already connected broker bridges – Starlord Mar 27 '21 at 16:43
  • That is covered in the mosquitto.conf man page (and would be a totally different question) – hardillb Mar 27 '21 at 16:49
  • Okay. Thank you. – Starlord Mar 27 '21 at 16:54