Skip to content
Kamil Baczkowicz edited this page Oct 9, 2016 · 1 revision

Overview

This section describes how TLS/SSL is supported by mqtt-spy (0.4.0) & mqtt-spy-daemon (0.2.0).

Key features

  • Support for 6 different modes of configuring TLS/SSL
    • Certificates & keys provided externally
    • CA certificate
    • CA trust store
    • CA certificate & client certificate/key
    • CA trust store & client key store
    • TLS/SSL properties
  • Support for various trust and key store types - JKS (default & .jks), JCEKS (.jceks), PKCS12 (.p12, .pfx) and BKS (.bks)
  • Support for trust/key store and key passwords
  • Comes with pre-configured CA certificates for iot.eclipse.org and test.mosquitto.org

Mode 1 - Certificates & keys provided externally

You can use this mode if you have Certificate Authority (CA) certificates configured in your OS or you can to specify them as JVM parameters, e.g.:

-Djavax.net.ssl.trustStore=/home/mqtt-spy/certificates/public_brokers.jks

-Djavax.net.ssl.trustStorePassword=password

Mode 2 - CA certificate

In this mode you need to provide:

  • the protocol version, e.g. TLS 1.2
  • the location of the CA certificate

Mode 3 - CA trust store

In this mode you need to provide:

  • the protocol version, e.g. TLS 1.2
  • the location and password to the CA trust store, which contains the relevant CA certificate(s); this could be a JKS, JCEKS, PKCS12 or BKS trust store

Mode 4 - CA certificate & client certificate/key

In this mode you need to provide:

  • the protocol version, e.g. TLS 1.2
  • the location of the CA certificate
  • the location of the client certificate
  • the location of the client key
  • the client key password
  • whether the key is in PEM format

Mode 5 - CA trust store & client key store

In this mode you need to provide:

  • the protocol version, e.g. TLS 1.2
  • the location and password to the CA trust store, which contains the relevant CA certificate(s); this could be a JKS, JCEKS, PKCS12 or BKS trust store
  • the location and password to the client key store, which contains the relevant client certificate and key; this could be a JKS, JCEKS, PKCS12 or BKS key store
  • the client key password

Mode 6 - TLS/SSL properties

A list of key/value pairs that can be used for configuring the TLS/SSL connection - this doesn't depend on JVM parameters being set.

Clone this wiki locally