Paho Tls 双向认证

Eclipse的Paho开源项目,默认TLS只支持对MQTT服务器的单向认证,官方Service中己集成相关方法:

MqttConnectOptions conOpt;

MqttAndroidClient client;

uri = “ssl://”;

InputStream ins = this.getResources().openRawResource(R.raw.ca);//ca.bks是由ca.crt通过Keytool工具导出的

String keypassword = “123456”;

conOpt.setSocketFactory(client.getSSLSocketFactory(ins, keypassword));

实现双向认证需要自己生成SocketFactory,具体代码如下:

MqttConnectOptions conOpt;

MqttAndroidClient client;

uri = “ssl://”;

InputStream ins = this.getResources().openRawResource(R.raw.ca);//ca.bks是由ca.crt通过Keytool工具导出的

InputStream clientIns = this.getResources().openRawResource(R.raw.client); //client.p12是由clinet.crt与client.key用openssl 导出的

String keypassword = “123456”;

conOpt.setSocketFactory(get2SSLSocketFactory(clientIns,ins,keypassword,keypassword));

… …

public SSLSocketFactory get2SSLSocketFactory(InputStream clientKeyStore,

           InputStream ServerKeyStore, String clientPassword, String ServerPassword)

           throws MqttSecurityException {

       try {

           SSLContext ctx = null;

           SSLSocketFactory sslSockFactory = null;

           // for server key store

           KeyStore ts;

           ts = KeyStore.getInstance(“BKS”);

           ts.load(ServerKeyStore, ServerPassword.toCharArray());

           TrustManagerFactory tmf = TrustManagerFactory.getInstance(“X509”);

           tmf.init(ts);

           // for client key store

           KeyStore kts = KeyStore.getInstance(“PKCS12”);

           kts.load(clientKeyStore, clientPassword.toCharArray());

           KeyManagerFactory keyManager = KeyManagerFactory.getInstance(“X509”);

           keyManager.init(kts, clientPassword.toCharArray());

           // init

           ctx = SSLContext.getInstance(“tlsv1”);

           ctx.init(keyManager.getKeyManagers(), tmf.getTrustManagers(), null);

           sslSockFactory = ctx.getSocketFactory();

           return sslSockFactory;

}…

   }

其中关键在PKCS12格式证书的生成,需要使用client的crt与key

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

之前走了很多弯路,在这个地方使用与生成ca.bks的方法来生成client证书,总是报错:

javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x75c72988: Failure in SSL library, usually a protocol error

error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure (external/openssl/ssl/s3_pkt.c:1256 0x7851af18:0x00000003)

SSL/TLS的加密码比较复杂,各种证书格式,加上需要跨平台通讯,问题比较多,在与Mosquito服务器通讯时,发现Tls的版本不对也会报错,

MqttException (0) – javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x7861ada8: Failure in SSL library, usually a protocol error

error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version (external/openssl/ssl/s23_clnt.c:741 0x71e78cf8:0x00000000)

Paho项目貌似只支持到Tlsv1,而服务器用的是Tlsv1.2,导致握手失败。

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.