node.js mqtt client using TLS

Question

I am trying to implement a node.js mqtt client with TLS using the package below;

https://www.npmjs.com/package/mqtt#client

The code for running mqtt client without TLS is as follows;

var mqtt = require('mqtt')
var client  = mqtt.connect('mqtt://test.mosquitto.org')

client.on('connect', function () {
  client.subscribe('presence')
  client.publish('presence', 'Hello mqtt')
})

client.on('message', function (topic, message) {
  // message is Buffer 
  console.log(message.toString())
  client.end()
})

How should the above code be modified to use TLS on the mqtt client?

The mosca MQTT broker was run as a stand-alone using the command below;

mosca --key ./tls-key.pem --cert ./tls-cert.pem --http-port 3000 --http-bundle --http-static ./ | pino

notion · Accepted Answer · 2016-10-13T13:26:09.010

12

Should be enough to change the protocol part of the URL to mqtts://

mqtts://test.mosquitto.org.

Self-signed certificates

You can pass the following option to the connect function when using self-signed certificates (for testing purposes only):

mqtt.connect('mqtts://test.mosquitto.org', {
    rejectUnauthorized: false
});

edited Oct 13 '16 at 13:26

answered Oct 13 '16 at 11:19

notion

666
5
8

This won't work because the broker is is using a self signed certificate so the client won't know to trust it. – hardillb Oct 13 '16 at 11:20
1

@user91579631 When using self-signed certificates, you can pass `rejectUnauthorized: false` as option. Edit: I added the information to the answer. – notion Oct 13 '16 at 11:24
Seems there is no need for the client to know the cert and key used by the broker. Thanks. – guagay_wk Oct 13 '16 at 11:33
@user91579631 the client should know the certificate of what ever signed the brokers certificate (the same things when self signed) or there is no way to know if somebody else it impersonating it. – hardillb Oct 13 '16 at 13:15

hardillb · Answer 2 · 2016-10-13T13:14:53.163

6

You need to provide the mqtt.connect() function with an options object which includes the CA certificate to use to verify the connection.

The options object needs to include a ca key that points to the certificate used to sign the brokers certificate. As it looks like your using a self signed certificate this will be the same one used by the broker.

The ca key is described here

Or you can allow any certificate with the rejectUnauthorized key as mentioned in @notion's answer. But that makes it impossible to detect if somebody is impersonating your broker

edited Oct 13 '16 at 13:14

answered Oct 13 '16 at 11:24

hardillb

54,545
11
67
105

How can I specify `ca` key in the option? I couldn't find a `ca` option [here](https://www.npmjs.com/package/mqtt#client) – user3496167 Mar 28 '17 at 01:40
1

But it does say that the options object is also passed to `tls.connect()` so it can contain any of those options as well. – hardillb Mar 28 '17 at 08:18
Thanks. I will give it a try. – user3496167 Mar 30 '17 at 09:05

node.js mqtt client using TLS

2 Answers2

Linked