Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL/TLS connection #396

Closed
zhujieshan opened this issue Nov 15, 2017 · 18 comments
Closed

SSL/TLS connection #396

zhujieshan opened this issue Nov 15, 2017 · 18 comments

Comments

@zhujieshan
Copy link

zhujieshan commented Nov 15, 2017
edited by jcavar

I have ca.crt, client.crt, client.key
how can I connect mqtt?

self.session = [[MQTTSession alloc] initWithClientId:@"clientid"
                                                    userName:@"username"
                                                    password:@"password"
                                                   keepAlive:60
                                                cleanSession:YES
                                                        will:NO
                                                   willTopic:nil
                                                     willMsg:nil
                                                     willQoS:0
                                              willRetainFlag:NO
                                               protocolLevel:4
                                                     runLoop:[NSRunLoop currentRunLoop]
                                                     forMode:NSRunLoopCommonModes
                                              securityPolicy:[self customSecurityPolicy]
                                                certificates:nil];
    [self.session connectToHost:transport.host port:transport.port usingSSL:YES];

- (MQTTSSLSecurityPolicy *)customSecurityPolicy
{
    NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"ca" ofType:@"crt"];
    NSString *clientcerPath = [[NSBundle mainBundle] pathForResource:@"client" ofType:@"crt"];
    NSString *clientkeyPath = [[NSBundle mainBundle] pathForResource:@"client" ofType:@"key"];

    NSData *certData = [NSData dataWithContentsOfFile:cerPath];
    NSData *certData1 = [NSData dataWithContentsOfFile:clientcerPath];
    NSData *certData2 = [NSData dataWithContentsOfFile:clientkeyPath];
    
    MQTTSSLSecurityPolicy *securityPolicy = [MQTTSSLSecurityPolicy policyWithPinningMode:MQTTSSLPinningModeNone];
    
    securityPolicy.allowInvalidCertificates = YES;
    securityPolicy.validatesCertificateChain = YES;
    securityPolicy.validatesDomainName = NO;
    securityPolicy.pinnedCertificates = @[certData,certData1,certData2];
    return securityPolicy;
}

right?
@willem4ever
Copy link

willem4ever commented Nov 15, 2017
edited

I have below working for asynchronous connect ...

session = [[MQTTSession alloc] init];
NSString*  ca1 = [[NSBundle bundleForClass:[MQTTSession class]] pathForResource:@“xxxxxx” ofType:@"der"];
NSString*  ca2 = [[NSBundle bundleForClass:[MQTTSession class]] pathForResource:@“yyyyyy” ofType:@"der"];
MQTTSSLSecurityPolicy *securityPolicy = [MQTTSSLSecurityPolicy policyWithPinningMode:MQTTSSLPinningModeCertificate];
securityPolicy.pinnedCertificates = @[[NSData dataWithContentsOfFile:ca1],[NSData dataWithContentsOfFile:ca2]];
securityPolicy.allowInvalidCertificates = YES;
securityPolicy.validatesDomainName = YES;
securityPolicy.validatesCertificateChain = NO;
//
MQTTSSLSecurityPolicyTransport *secureTransport = [[MQTTSSLSecurityPolicyTransport alloc] init];
secureTransport.port = (uint32_t) c.port;
secureTransport.host = c.broker;
secureTransport.tls = (c.ssl) ? true : false;
secureTransport.securityPolicy = securityPolicy;
session.transport = secureTransport;
//
session.userName = c.username;
session.password = c.password;
session.delegate = self;

[session connect];

@zhujieshan
Copy link
Author

zhujieshan commented Nov 16, 2017
edited by jcavar 

MQTTSSLSecurityPolicyTransport *transport = [[MQTTSSLSecurityPolicyTransport alloc]init];
transport.host = d[@"host"];
transport.port = [d[@"port"] intValue];
transport.tls = YES;

NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"ca" ofType:@"der"];
NSString *clientcerPath = [[NSBundle mainBundle] pathForResource:@"client" ofType:@"der"];
        
MQTTSSLSecurityPolicy *securityPolicy = [MQTTSSLSecurityPolicy policyWithPinningMode:MQTTSSLPinningModeCertificate];
securityPolicy.pinnedCertificates = @[[NSData dataWithContentsOfFile:cerPath],[NSData dataWithContentsOfFile:clientcerPath]];
securityPolicy.allowInvalidCertificates = YES;
securityPolicy.validatesDomainName = YES;
securityPolicy.validatesCertificateChain = NO;
transport.securityPolicy = securityPolicy;
        
_session = [[MQTTSession alloc] init];
_session.transport = transport;
_session.delegate = self;
_session.userName = @"username";
 _session.password = @"password";
        
[_session connect];

I converted the format of the certificate,and MQTT still can't connect,Are you using 'Two-way certification'? Do not need a client key(client.key)?

@zhujieshan
Copy link
Author

zhujieshan commented Nov 16, 2017
edited by jcavar 

NSString* ca1 = [[NSBundle bundleForClass:[MQTTSession class]] pathForResource:@“xxxxxx” ofType:@"der"];
NSString* ca2 = [[NSBundle bundleForClass:[MQTTSession class]] pathForResource:@“yyyyyy” ofType:@"der"];

ca1 and ca2 conversion before what format? p12?

@jcavar
Copy link
Contributor

jcavar commented Nov 16, 2017
edited

Can you just please use code formatting, it makes it a lot easier to read comments.

@willem4ever
Copy link

No I do not use a client key, the format of the certificates is openssl der format. Have you checked a valid path is returned. You can also try "securityPolicy.validatesDomainName = NO;" Additionally you check the MQTT side of things by using openssl to connect to the MQTT broker

@willem4ever
Copy link

willem4ever commented Nov 16, 2017
edited

Ok to use a client certificate you need to do few more things

 NSString*  client = [[NSBundle bundleForClass:[MQTTSession class]] pathForResource:@"client" ofType:@"p12"];

attach the client certificate (P12) to the security policy

MQTTSSLSecurityPolicyTransport *secureTransport = [[MQTTSSLSecurityPolicyTransport alloc] init];
secureTransport.port = (uint32_t) c.port;
secureTransport.host = c.broker;
secureTransport.tls = true;
secureTransport.securityPolicy = securityPolicy;
secureTransport.certificates = [MQTTSSLSecurityPolicyTransport clientCertsFromP12:client passphrase:@"password"];
session.transport = secureTransport;

Do not forget to add the certificates to your bundle .....

@zhujieshan
Copy link
Author

zhujieshan commented Nov 17, 2017
edited

You really helped me a great favor!This method is useful!Thanks!

NSString* ca = [[NSBundle bundleForClass:[MQTTSession class]] pathForResource:@"ca" ofType:@"der"];
NSString* client = [[NSBundle bundleForClass:[MQTTSession class]] pathForResource:@"certificate" ofType:@"p12"];

MQTTSSLSecurityPolicyTransport *transport = [[MQTTSSLSecurityPolicyTransport alloc]init];
transport.certificates = [MQTTSSLSecurityPolicyTransport clientCertsFromP12:client passphrase:@"password"];

MQTTSSLSecurityPolicy *securityPolicy = [MQTTSSLSecurityPolicy policyWithPinningMode:MQTTSSLPinningModeCertificate];
securityPolicy.pinnedCertificates = @[[NSData dataWithContentsOfFile:ca]];

@cjw429672039
Copy link

你好,请教下:
1.你使用的证书是自签证书还是从信任的证书机构购买的证书?
2.证书只能用信任机构颁发的证书吗?

@willem4ever
Copy link

你好,请教下:
1.你使用的证书是自签证书还是从信任的证书机构购买的证书?
2.证书只能用信任机构颁发的证书吗?

Hello, ask:

  1. Are you using a self-signed certificate or a certificate purchased from a trusted certificate authority?
  2. Certificates can only be issued by a certificate of trust?

I'm using self signed certificates ...

@zhujieshan
Copy link
Author

我也是使用的是自签证书 后台搞定的

@jcavar
Copy link
Contributor

jcavar commented Jan 4, 2018

It seems like issue here is resolved but feel free to reopen if not.

@jcavar jcavar closed this as completed Jan 4, 2018
@MrLinTianbao
Copy link

Excuse me, what's going on? Error Domain=NSOSStatusErrorDomain Code=-9807 "(null)" UserInfo={_kCFStreamErrorCodeKey=-9807, _kCFStreamErrorDomainKey=3}

@kuangzq
Copy link

kuangzq commented Sep 12, 2018

Ok to use a client certificate you need to do few more things

 NSString*  client = [[NSBundle bundleForClass:[MQTTSession class]] pathForResource:@"client" ofType:@"p12"];

attach the client certificate (P12) to the security policy

MQTTSSLSecurityPolicyTransport *secureTransport = [[MQTTSSLSecurityPolicyTransport alloc] init];
secureTransport.port = (uint32_t) c.port;
secureTransport.host = c.broker;
secureTransport.tls = true;
secureTransport.securityPolicy = securityPolicy;
secureTransport.certificates = [MQTTSSLSecurityPolicyTransport clientCertsFromP12:client passphrase:@"password"];
session.transport = secureTransport;

Do not forget to add the certificates to your bundle .....

The framework crashed when connecting to broker with client certificate. My code is

    NSString *sHost = @"mqtt.myserver.com";
    UInt32 port = 1883;

    NSString *sClientP12Path = [[NSBundle bundleForClass:[self class]] pathForResource:@"client" ofType:@"p12"];
    NSData *clientP12Data = [NSData dataWithContentsOfFile:sClientP12Path];

    MQTTSSLSecurityPolicy *securityPolicy = [MQTTSSLSecurityPolicy policyWithPinningMode:MQTTSSLPinningModeCertificate];    securityPolicy.pinnedCertificates = @[clientP12Data];
    securityPolicy.allowInvalidCertificates = YES;

    MQTTSSLSecurityPolicyTransport *secureTransport = [[MQTTSSLSecurityPolicyTransport alloc] init];
    secureTransport.port = port;
    secureTransport.host = sHost;
    secureTransport.tls = YES;
    secureTransport.securityPolicy = securityPolicy;
    secureTransport.certificates = [MQTTSSLSecurityPolicyTransport clientCertsFromP12:sClientP12 passphrase:@"password"];
    
    MQTTSession *session = [[MQTTSession alloc] initWithClientId:@"MQTTOverTLS" userName:nil password:nil keepAlive:60 cleanSession:YES will:YES willTopic:@"BYE" willMsg:[@"Client off-line" dataUsingEncoding:NSUTF8StringEncoding] willQoS:2 willRetainFlag:YES protocolLevel:4 runLoop:[NSRunLoop currentRunLoop] forMode:NSRunLoopCommonModes securityPolicy:securityPolicy certificates:@[clientP12Data]];
    session.transport = secureTransport;
    [session connectWithConnectHandler:^(NSError *error) {
        if (error) {
            NSLog(@"error: %@", error.description);
        }
    }];

It crashed here in the framework

screen shot 2018-09-11 at 11 28 17 pm

Some debug information around the crash breakpoint

screen shot 2018-09-11 at 11 29 47 pm

screen shot 2018-09-11 at 11 40 52 pm

The version of framework (from Podfile.lock)

  - MQTTClient (0.9.9):
    - MQTTClient/Core (= 0.9.9)
  - MQTTClient/Core (0.9.9):
    - MQTTClient/Manager
    - MQTTClient/Min
  - MQTTClient/Manager (0.9.9):
    - MQTTClient/Min
  - MQTTClient/Min (0.9.9)

Did I miss something or do something wrong? Asking for help. Any advice would be highly appreciated.

@marciogranzotto
Copy link

Did I miss something or do something wrong? Asking for help. Any advice would be highly appreciated.

Same thing for me. Did you manage to fix it? @kuangzq

@ZLDamo
Copy link

ZLDamo commented Feb 27, 2020

我也是使用的是自签证书 后台搞定的
您好,请问为什么您最后用的[NSBundle bundleForClass:[MQTTSession class]] 方法,而不是[NSBundle mainBundle] pathForResource: 方法呢? 您是改了证书的名字嘛?您用的两个证书对应的是ca.crt,client.cer,client.key中的哪两个呢?

@kuangzq
Copy link

kuangzq commented Feb 27, 2020 via email

@ZLDamo
Copy link

ZLDamo commented Feb 28, 2020

It has been quite a long time and couldn’t remember the details. But I think I must have tried pathForResource first, and found it didn’t work, then I tried something else.
On Thu, Feb 27, 2020 at 03:46 Damo @.***> wrote: 我也是使用的是自签证书 后台搞定的 您好,请问为什么您最后用的[NSBundle bundleForClass:[MQTTSession class]] 方法,而不是[NSBundle mainBundle] pathForResource: 方法呢? 您是改了证书的名字嘛?您用的两个证书对应的是ca.crt,client.cer,client.key中的哪两个呢? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#396?email_source=notifications&email_token=ADSBFQSUBSFRWRCB4FVBBJLRE6DZBA5CNFSM4EDZ7QAKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENDVS2I#issuecomment-591878505>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADSBFQWT7POTU5RNP56IXVDRE6DZBANCNFSM4EDZ7QAA .
-- Zhengqian (John) Kuang
Where is your certificate? Is it mainBundle or somewhere else?

@procjiang
Copy link

[MQTTCFSocketTransport] Error while importing pkcs12 为什么会报错啊 ? 我使用的方式有问题吗 ?
NSString *ca = [[NSBundle bundleForClass:[MQTTSession class]] pathForResource:@"cacert" ofType:@"der"];
NSString *client = [[NSBundle bundleForClass:[MQTTSession class]] pathForResource:@"client" ofType:@"p12"];
MQTTSSLSecurityPolicyTransport *transport = [[MQTTSSLSecurityPolicyTransport alloc]init];
transport.host = host;
transport.port = port;
transport.tls = YES;
MQTTSSLSecurityPolicy *securityPolicy = [MQTTSSLSecurityPolicy policyWithPinningMode:MQTTSSLPinningModeCertificate];
securityPolicy.allowInvalidCertificates = YES;
securityPolicy.validatesDomainName = NO;
securityPolicy.validatesCertificateChain = NO;
securityPolicy.pinnedCertificates = @[[NSData dataWithContentsOfFile:ca]];
transport.securityPolicy = securityPolicy;
[self.sessionManager connectTo:host
port:port
tls:YES
keepalive:60
clean:NO
auth:YES
user:[CYUserInfo shareUserInfo].uid
pass:[CYUserInfo shareUserInfo].access_token
will:YES
willTopic:@""
willMsg:nil
willQos:0
willRetainFlag:NO
withClientId:clientId
securityPolicy:securityPolicy
certificates:[MQTTSSLSecurityPolicyTransport clientCertsFromP12:client passphrase:@"password"]];

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@willem4ever @jcavar @cjw429672039 @marciogranzotto @procjiang @kuangzq @MrLinTianbao @zhujieshan @ZLDamo