Basic TLS question [message #1858407] |
Sat, 01 April 2023 14:39 |
Andrew Lo Messages: 2 Registered: April 2023 |
Junior Member |
|
|
I have my mosquitto.conf file as follows:
```
allow_anonymous false
password_file /etc/mosquitto/passwd
listener 1883
listener 8883 0.0.0.0
protocol mqtt
certfile /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/example.com/example.com.crt
cafile /usr/local/share/ca-certificates/lets-encrypt-r3.crt
keyfile /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/example.com/example.com.key
allow_anonymous false
```
I connect to example.com:8883 with MQTT Explorer, and the connection is successful. How do I know if my connection is actually encrypted?
In my mosquitto log, I see:
```
1680357916: New connection from 2.3.4.5:61585 on port 8883.
1680357917: New client connected from 2.3.4.5:61585 as mqtt-explorer-e65374de (p2, c1, k60, u'user').
```
From a higher-level standpoint, am I correct in how this works?
1. I obtained a server certificate and private key from Let's Encrypt via Caddy's TLS app.
2. Mosquitto uses those crt and key for TLS connections
3. Both the server and client have the Let's Encrypt certificate authority installed and trusted.
4. Client initiates a TLS connection and the handshake is based on the server certificate and private key (all on the server side)
Client doesn't need anything aside from certificate authority trust?
|
|
|
Powered by
FUDForum. Page generated in 0.03366 seconds