No announcement yet.

Mixing tls traffic and non-tls traffic....

  • Filter
  • Time
  • Show
Clear All
new posts

  • Mixing tls traffic and non-tls traffic....

    I have a single mqtt node which requires tls. I have communication finally working with mosquito so both non-tls and tls subscribe actions(and Pub) work correctly. Looking at the homeseer interface, it appears I have one choice or another - not both....

    Any insight how I might make this work?


  • #2
    I have never used tls myself. Do you have one broker and two ports? Do you have different username/password on each? Once we figure out how it is suppose to work then I can make the updates to support it.


    • #3

      Yes, the later Mosquitto versions permit multiple ports and different authorization modes for each. I'm still playing with it Ill post my config file when I have it all happy.... Bottom line is I bought a "cheap" wifi dimmer [meross] and it is not tasmota compatible. There are some folks who have written some hacks to reflect it to a mqtt server (I have done this). It requires a signed ca certificate and ssl (all now working). My problem is the rest of my tasmota devices (and now zigbee) are not ssl compatible.

      So I think where I will end up (some success already) is a user/password protected non-ssl port 1883 access AND no user/password but CA only access wil ssl on port 8883...



      • #4
        OK... here we go at documenting where I am at....

        Referencing the above post on why I need what is here...

        First as of this writing Mosquitto for the pi is at 1.14.10.... This does NOT support the all important 'per_listener_settings true'. So if you want to pursue this - you may have to get a more recent dev load. Current Mosquitto development is at 1.16.0, but there are no Pi builds I could find that high. I did get a 1.15.8 (this does support 'per_listener_settings true'). Here is how I got the development builds on the pi...

        To use the new repository you should first import the repository package signing key:
        sudo apt-key add mosquitto-repo.gpg.key
        Then make the repository available to apt:
        cd /etc/apt/sources.list.d/
        Then one of the following, depending on which version of debian you are using:
        sudo wget
        sudo wget
        sudo wget
        Then update apt information:
        sudo apt-get update
        And discover what mosquitto packages are available:
        sudo apt-cache search mosquitto
        Or just install or upgrade:
        sudo apt-get install mosquitto
        Finally install the Mosquitto Clients:
        sudo apt-get install mosquitto-clients

        With this loaded... and the right certificates installed, I have the following mosquitto.conf working...
        # Place your local configuration in /etc/mosquitto/conf.d/
        # A full description of the configuration file is at
        # /usr/share/doc/mosquitto/examples/mosquitto.conf.example

        pid_file /var/run/
        per_listener_settings true

        port 1883
        persistence true
        persistence_location /var/lib/mosquitto/
        allow_anonymous false
        password_file /etc/mosquitto/p1.txt
        #log_type debug
        connection_messages true

        log_dest file /var/log/mosquitto/mosquitto.log

        include_dir /etc/mosquitto/conf.d

        listener 8883
        #log_type debug
        cafile /etc/mosquitto/certs/m2mqtt_ca.crt
        certfile /etc/mosquitto/certs/m2mqtt_srv.crt
        keyfile /etc/mosquitto/certs/m2mqtt_srv.key
        require_certificate false
        allow_anonymous true
        tls_version tlsv1.1

        This connects with ssl to my dimmer (with no user/password) with only a proper ca certificate working..... I can subscribe to the dimmer with...
        mosquitto_sub -h -p 8883 -t "/appliance/1812144891717229088234298f196791/publish" --cafile /etc/mosquitto/certs/m2mqtt_ca.crt --tls-version tlsv1.1

        So - with all of this - I have mosquitto working. The packets from the device are pretty involved and I have yet not been successful in posting to it. [work in process].

        I'm not sure how you would make Homeseer handle multiple ports. I would seem like it would break a lot. If you created multiple instances, it would not be following the concept of multiple listeners on Mosquitto. In Mosquitto the multiple listeners are still connected to the same instance of the mqtt broker. You actually can launch multiple separate instances of Mosquitto but I did not go there....

        I think my current direction is to bridge this gap with Node-Red. I should be able to receive from the ssl then convert the message and repost it to a new non-ssl topic back to homeseer.

        So at the moment this is really just a FYI for anyone else who may be pushed in this direction....



        • #5
          Posting a update in case anyone runs into this in the future. The answer was in my explanation above - only I did not understand it fully as I wrote it. Even though Mosquitto has 2 different 'listener' ports with different authentication, its the same instance. In other words, the clients on SSL can be pub/sub to from the non-SSL port.

          Therefore the request I made in the first post is unnecessary.