sol
sol copied to clipboard
codepr
SSL / TLS Implementation
I work on this project on and off, mainly during spare time, it should be easy enough of an addition, that's why I prioritized more inner-logic features, anyway PRs are welcome.
I suppose the easiest way is to incrementally add it by using openssl/ssl.h library:
- add entries for certs on configuration, possibly specifying path on the config file as well
- write two read/write functions which uses a
SSLstructure andSSL_write/SSL_read - on the server-side, after checking if the conf requires an encrypted communication, setup SSL context, load certificates and use ssl read/write functions Something similar to what I did on https://github.com/codepr/vessel/blob/master/src/networking.c, a PoC repository that I created some time ago.
-
add entries for certs on configuration, possibly specifying path on the config file as well -> for this I have added two entries in config file Check whether connection is over SSL - [If Yes then Set 1; If No then Set 0] SSL 0 Certificate File Path filepath /home/user/Desktop/rootCA.crt
added entries in struct config {} to read this two enteries from config files
-
write two read/write functions which uses a SSL structure and SSL_write/SSL_read -> Added ssl_send,ssl_recv,load_certificates,create_ssl_context,openssl_cleanup,openssl_init in my network.c file
-
on the server-side, after checking if the conf requires an encrypted communication, setup SSL context, load certificates and use ssl read/write functions -> for this do I have to add in accept_loop function of server.c can you show where to add above functions
You can see a rough work I started on ab112b76bbdd6f6b7a6a90372fea50d4d736c823. Just some simple changes on reception parts on the server module, and accept of course.
- Check for encryption required
- Accept using SSL_new on the connecting client if encryption ON
- Use ssl_recv/ssl_send if encryption ON
I have create certificates for my broker using openssl command like below req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
and Mentioned Below line in conf file certfile /home/parth/Desktop/certificate.pem keyfile /home/parth/Desktop/key.pem
but while connecting from MQTT Client its showing Droping client at server side. Not able to connect.
I am getting connected message for my client Id but Client shows continuously connection error 1575029534 i New client connected as 814e1a4f-4885-42bb-a4bb-181890d1267d1575030492087 (c0, k10) 1575029534 # Sending CONNACK to 814e1a4f-4885-42bb-a4bb-181890d1267d1575030492087 (0, 0)
SSL_get_error(client->ssl,r) returns Error 2 Which I think it means error with certificates
but while connecting from MQTT Client its showing Droping client at server side. Not able to connect.
Im facing the same issue. Were you able to resolve it ?
I start the server by making ssl=true and port=8883 it gives the error as follow... 1995538976:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:288:fopen('','r') 1995538976:error:20074002:BIO routines:file_ctrl:system lib:../crypto/bio/bss_file.c:290: 1995538976:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:../ssl/ssl_rsa.c:390:
I start the server by making ssl=true and port=8883 it gives the error as follow... 1995538976:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:288:fopen('','r') 1995538976:error:20074002:BIO routines:file_ctrl:system lib:../crypto/bio/bss_file.c:290: 1995538976:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:../ssl/ssl_rsa.c:390:
For this you have to add two entries in .conf file as below certfile ~/pathofcertificate/certificate.pem keyfile ~/pathofcertificatekey/key.pem
but while connecting from MQTT Client its showing Droping client at server side. Not able to connect.
Im facing the same issue. Were you able to resolve it ?
I am trying but no success; if you resolved then do let me know your solution
For this you have to add two entries in .conf file as below certfile ~/pathofcertificate/certificate.pem keyfile ~/pathofcertificatekey/key.pem
i add the certs in config file still i am getting same error. such as.. 1995727392:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:288:fopen('~/home/pi/certificate.pem','r') 1995727392:error:20074002:BIO routines:file_ctrl:system lib:../crypto/bio/bss_file.c:290: 1995727392:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:../ssl/ssl_rsa.c:390:
certificate.pem
Is certificate.pem file present at location /home/pi ? Change from ~/home/pi/certificate.pem to /home/pi/certificate.pem
Now getting this permission error as follow.. 1995821600:error:0200100D:system library:fopen:Permission denied:../crypto/bio/bss_file.c:288:fopen('/home/pi/key.pem','r') 1995821600:error:20074002:BIO routines:file_ctrl:system lib:../crypto/bio/bss_file.c:290: 1995821600:error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib:../ssl/ssl_rsa.c:540:
Now getting this permission error as follow.. 1995821600:error:0200100D:system library:fopen:Permission denied:../crypto/bio/bss_file.c:288:fopen('/home/pi/key.pem','r') 1995821600:error:20074002:BIO routines:file_ctrl:system lib:../crypto/bio/bss_file.c:290: 1995821600:error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib:../ssl/ssl_rsa.c:540:
Try by running using sudo rights
Thank you for your help.Now server is start without any error, but the on that port can't listen anything .i start the server but on that port not listen anything pi@raspberrypi:~ $ sudo lsof -n -P -i | grep LISTEN sshd 444 root 3u IPv4 14433 0t0 TCP *:22 (LISTEN) sshd 444 root 4u IPv6 14435 0t0 TCP *:22 (LISTEN) exim4 748 Debian-exim 3u IPv4 15519 0t0 TCP 127.0.0.1:25 (LISTEN) exim4 748 Debian-exim 4u IPv6 15520 0t0 TCP [::1]:25 (LISTEN)
sudo lsof -n -P -i | grep LISTEN
I tried running the same command sudo lsof -n -P -i | grep LISTEN I can see my broker executable listening on mentioned port no. in conf file. Make sure port no. is not conflicting
which command you use to start the broker.
./sol -c /home/user/Desktop/mqttbroker/sol-master/conf/sol.conf
I am using the same command still port is not listen anything.
Any error after running command ? Can you show me once the conf file ?
Here i attach my config file. config.txt
Have you configured same configuration in conf folder /sol.conf file ? As after running ./sol -c /home/user/Desktop/mqttbroker/sol-master/conf/sol.conf it loads the configuration file parameters
no it's not load the configuration parameter. when i start the server it look like as ... 1575098767 i Sol v0.7.1 is starting 1575098767 i Network settings: 1575098767 i Socket family: Unix 1575098767 i Unix socket: /tmp/sol.sock 1575098767 i Max request size: 50Mb 1575098767 i Logging: 1575098767 i level: DEBUG 1575098767 i logpath: /tmp/sol.log 1575098767 i Max memory: 2Gb 1575098767 i Server start
no it's not load the configuration parameter. when i start the server it look like as ... 1575098767 i Sol v0.7.1 is starting 1575098767 i Network settings: 1575098767 i Socket family: Unix 1575098767 i Unix socket: /tmp/sol.sock 1575098767 i Max request size: 50Mb 1575098767 i Logging: 1575098767 i level: DEBUG 1575098767 i logpath: /tmp/sol.log 1575098767 i Max memory: 2Gb 1575098767 i Server start
Socket family: Unix this option is in default .conf file. Got to conf folder you will see sol.conf file Edit as per your requirement.
for my reference can you share your config file.
ip_address 192.168.1.15 ip_port 8884 log_level DEBUG log_path /home/user/Desktop/mqttbroker/MiMqtt.log max_memory 2GB max_request_size 50MB tcp_backlog 128 stats_publish_interval 10s certfile /home/user/Desktop/rootCACert.pem keyfile /home/user/Desktop/rootCAKey.pem
thank you. now server start with the config parameter.but when i try to connect it server print msg dropping client .
I am also on the same boat....Still trying to figure out whats wrong. If you found any solution do let me know.