My blog

Feb 6, 2017 - 1 minute read - mqtt

mosquitto setup

Securely setting up a mosquitto server

/etc/mosquitto/mosquitto.conf

user mosquitto
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/

log_dest syslog
log_type debug
log_dest file /var/log/mosquitto/mosquitto.log

connection_messages true

log_dest syslog
log_type debug

listener 8883
allow_anonymous false
require_certificate false
password_file /etc/mosquitto/mqtt-access.conf

certfile /etc/mosquitto/security/example.com.pem
keyfile /etc/mosquitto/security/example.com.key
cafile /etc/mosquitto/security/capath.pem
connection_messages true
#we limit it to only the latest version of TLS, 
#even though the current weaknesess of older protocols only affect browsers
tls_version tlsv1.2
#also limit to specific ciphers
ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:\
ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:\
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:\
ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:\
DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:\
DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:\
DHE-RSA-AES256-SHA256

References: