DEV Community

Ble Advertiser
Ble Advertiser

Posted on

Securing Your ESP32 MQTT Broker with Mutual TLS: Protecting Data in the Field

#esp32 #mqtt #mtls #embedded

Securing Your ESP32 MQTT Broker with Mutual TLS: Protecting Data in the Field

Have you ever struggled with unauthorized access to your IoT devices, finding that sensitive sensor data was being compromised? The vulnerability of MQTT brokers to man-in-the-middle attacks is a common pain point in IoT deployments, especially when relying on unauthenticated or weakly authenticated connections. This article guides you through implementing Mutual Transport Layer Security (mTLS) on your ESP32 MQTT broker, providing robust authentication and integrity checks for your MQTT clients. This method significantly elevates the security posture of your device, making it far more resilient to attacks.

Core Concepts

Before diving into the implementation, let's solidify the fundamental concepts underpinning mTLS.

What is mTLS? mTLS goes beyond simply encrypting communication. It mandates that both the client and the server present valid certificates to each other during the TLS handshake. This provides stronger authentication than traditional TLS, verifying the identity of both parties. Essentially, it's a two-way authentication process.

Why is it important? In IoT, security is paramount, particularly when handling sensitive data (e.g., health monitoring, industrial control). mTLS prevents:

  • Eavesdropping: Ensuring that only authorized clients can intercept and read MQTT messages.
  • Man-in-the-Middle (MITM) Attacks: Protecting against attackers who try to intercept communication and modify data.
  • Unauthorized Access: Verifying the identity of each device attempting to connect to the broker.

MQTT and TLS: MQTT, a lightweight messaging protocol, typically relies on TLS for secure communication. With mTLS, you require clients to present a digital certificate to the broker, which then validates the certificate against a Certificate Authority (CA) you define. The broker, in turn, presents its own certificate to the client for verification.

Certificate Authorities (CAs): CAs are trusted entities that issue digital certificates. For mTLS, you'll need to create your own CA or utilize a trusted CA. The CA signs the certificates for your clients and the broker, ensuring their authenticity. Using a self-signed CA is common for internal deployments.

Certificate Types:

  • Client Certificates: Used by clients to prove their identity to the broker.
  • Server Certificates: Used by the broker to prove its identity to the clients.

Diagram:

+-----------+      +-------------+      +-------------+
|  Client   |------>|   Broker    |------>|   Client   |
+-----------+      +-------------+      +-----------+
     ^             |             |         ^
     |             |             |         |
     |   Client     |  Server     |    Client  |  (TLS)
     |   Certificate|  Certificate|         |
     |             |             |         |
     +-------------+             +---------+
Enter fullscreen mode Exit fullscreen mode

The arrows represent the TLS connection, and the certificates are presented during the handshake.

Implementation

This guide will focus on configuring the ESP32 MQTT broker using the ESP-IDF (Espressif IoT Development Framework) and the esp_mqtt library, incorporating mTLS. We’ll assume a basic understanding of the ESP32 and the ESP-IDF.

Prerequisites:

  • ESP32 development board.
  • ESP-IDF installed.
  • Basic familiarity with MQTT and TLS.

Steps:

  1. Certificate Generation: You need to generate client and server certificates. OpenSSL is a common tool for this. Generate a private key for both the broker and each client. Then, create a certificate signing request (CSR) for each, and finally, sign the CSRs using your CA. Important: Store the private keys securely.

  2. Certificate Storage: Store the certificates and private keys in the appropriate locations on your ESP32. For the broker, this is typically within the flash memory. For client certificates, they can be stored as files on the device's storage (SD card, internal flash).

  3. Configuration: Modify the mqtt_broker.h and mqtt_broker.c files to enable mTLS and configure the certificate paths.

  4. Client Configuration: Each client needs to have its own client certificate and private key. The client will use these to authenticate with the broker.

Code Requirements & Permissions:

  • ESP-IDF version 5.0 or later.
  • esp_mqtt library. This can be found in the ESP-IDF documentation or via Git.
  • Permissions: You will need appropriate permissions to read/write files to flash memory and storage. This may involve configuring the ESP32's security settings. 
#include "esp_mqtt.h"
#include "esp_err.h"
#include "esp_log.h"

// Define the path to the certificate files
#define CERT_PATH "/etc/mqtt/client.crt"
#define KEY_PATH "/etc/mqtt/client.key"

// Define the path to the certificate files
#define CERT_PATH "/etc/mqtt/server.crt"
#define KEY_PATH "/etc/mqtt/server.key"
Enter fullscreen mode Exit fullscreen mode

Code Examples

1. Broker Configuration (mqtt_broker.c):

#include "esp_mqtt.h"
#include "esp_log.h"

// Define the certificate files
#define CERT_PATH "/etc/mqtt/server.crt"
#define KEY_PATH "/etc/mqtt/server.key"

// mTLS configuration parameters
static esp_mqtt_server_config_t server_config = {
    .tls_cert_path = CERT_PATH,
    .tls_key_path = KEY_PATH,
    .tls_client_auth = ESP_MQTT_TLS_AUTH_CLIENT, // Client Authentication Required
    .tls_client_cert_req = ESP_MQTT_TLS_CERT_REQ_REQUIRED, // Client Certificate Required
    .tls_client_cert_file = CERT_PATH, // Path to the client certificate file
    .tls_client_key_file = KEY_PATH, // Path to the client key file
    .tls_ca_file = "/etc/mqtt/ca.crt" //Path to the CA certificate file.
};

// Function to initialize the MQTT broker with mTLS
ESP_ERROR_t mqtt_init(void) {
    ESP_LOGI("MQTT", "Initializing MQTT broker with mTLS...");

    // Initialize the MQTT server configuration
    esp_mqtt_server_config_t config = {
        .server_address = "broker.example.com",  //Replace with your broker's address
        .server_port = 8883,
        .tls_cert_path = CERT_PATH,
        .tls_key_path = KEY_PATH,
        .tls_client_auth = ESP_MQTT_TLS_AUTH_CLIENT,
        .tls_client_cert_req = ESP_MQTT_TLS_CERT_REQ_REQUIRED,
        .tls_client_cert_file = CERT_PATH,
        .tls_client_key_file = KEY_PATH,
        .tls_ca_file = "/etc/mqtt/ca.crt"
    };

    esp_mqtt_server_init(&config);

    ESP_LOGI("MQTT", "MQTT broker initialized successfully.");
    return ESP_OK;
}


void app_main(void) {
    ESP_LOGI("MQTT", "Starting MQTT Broker...");
    mqtt_init();
    while (1) {
        //Your main application logic here
        vTaskDelay(pdMS_TO_TICKS(1000)); //Keep the loop running
    }
}
Enter fullscreen mode Exit fullscreen mode

2. Client Configuration (client.c):


c
#include "esp_mqtt.h"
#include "esp_log.h"

// Define the certificate files
#define CERT_PATH "/etc/mqtt/client.crt"
#define KEY_PATH "/etc/mqtt/client.key"


// Function to connect to the MQTT broker with mTLS
ESP_ERROR_t mqtt_connect(void) {
    esp_mqtt_client_config_t client_config = {
        .server_address = "broker.example.com",   //Replace with your broker's address
        .server_port = 8883,
        .tls_client_cert_file = CERT_PATH,
        .tls_client_key_file = KEY_PATH,
        .tls_client_auth = ESP_MQTT_TLS_AUTH_CLIENT,
        .tls_client_cert_req = ESP_MQTT_TLS_CERT_REQ_REQUIRED,
    };

    ESP_ERROR_t err = esp_mqtt_client_init(&client_config);
    if (err != ESP_OK) {
        ESP_LOGE("MQTT", "Failed to initialize MQTT client: %s",
Enter fullscreen mode Exit fullscreen mode

Top comments (0)