Add labs

04-mosquitto/lab08/.gitignore

@@ -0,0 +1 @@
+*.pem

04-mosquitto/lab08/config/docker-compose.yml

@@ -0,0 +1,7 @@
+services:
+  mosquitto:
+    image: eclipse-mosquitto
+    ports:
+      - "1883:1883"
+    volumes:
+      - ./:/mosquitto/config:ro

04-mosquitto/lab08/config/mosquitto.conf

@@ -0,0 +1,14 @@
+listener 1883
+listener_allow_anonymous true
+
+
+listener 8883
+
+#listener_allow_anonymous true
+listener_allow_anonymous false
+use_identity_as_username true
+
+certfile /mosquitto/config/server-cert.pem
+keyfile /mosquitto/config/server-key.pem
+require_certificate true
+cafile /mosquitto/config/ca-cert.pem

04-mosquitto/lab08/config/users.txt

@@ -0,0 +1,2 @@
+thomas:$7$101$+0sf4wma3qzDFw6R$H+lLmGLzo1Ex5rXxZqWxuEFCV7bSsAehEwTJ6XULFberEhwug/EC8aSWtiI4xScYQ2u/0sZ3xCg0rTRaMb5ITg==
+admin:$7$101$S9wXlrBPl3PFz+9y$l3/GP/FjklfQ2inTxBf4FfLvFR3r5yF6G6ZSRDFRwAklzltZ+xhUWM83PKQjxy2ZFYYmHxMoKs4q1+IMrXL6NA==

04-mosquitto/lab08/lab.txt

@@ -0,0 +1,76 @@
+= Verwendung mTLS in Mosquitto
+
+
+Erstellen Sie ein self-signed (CA) Zertifikat.
+
+
+$ openssl req -new -x509 -newkey rsa:4096 -nodes -keyout ca-key.pem -out ca-cert.pem \
+ -days 365 -subj "/CN=My-CA" -addext "basicConstraints=critical,CA:TRUE" \
+ -addext "keyUsage=critical,keyCertSign,cRLSign" 
+
+
+Signieren Sie damit ein selbst erstelltes Zertifikat für den Broker.
+
+$ openssl genrsa -out server-key.pem 2048
+$ openssl req -new -key server-key.pem -out request.pem -subj "/CN=localhost" \
+  -addext 'subjectAltName=DNS:localhost,IP:127.0.0.1' \
+  -addext "keyUsage=digitalSignature,keyEncipherment" \
+  -addext "extendedKeyUsage=serverAuth"
+
+$ openssl x509 -req -days 365 -in request.pem -CA ca-cert.pem -CAkey ca-key.pem \
+ -set_serial 01 -out server-cert.pem -copy_extensions copyall
+$ rm request.pem
+
+
+Signieren Sie damit ein selbst erstelltes Zertifikat für den Client.
+
+$ openssl genrsa -out client-key.pem 2048
+$ openssl req -new -key client-key.pem -out request.pem -subj "/CN=thomas" \
+  -addext "keyUsage=digitalSignature" \
+  -addext "extendedKeyUsage=clientAuth"
+$ openssl x509 -req -days 365 -in request.pem -CA ca-cert.pem -CAkey ca-key.pem \
+ -set_serial 01 -out client-cert.pem -copy_extensions copyall
+$ rm request.pem
+
+
+Konfigurieren Sie damit einen zusätzlichen Listener in Mosquitto (`certfile`, `keyfile`) Port 8883
+
+
+listener 1883
+listener_allow_anonymous true
+password_file /mosquitto/config/users.txt
+acl_file /mosquitto/config/acl.txt
+
+listener 8883
+listener_allow_anonymous true
+certfile /mosquitto/config/server-cert.pem
+keyfile /mosquitto/config/server-key.pem
+require_certificate true
+cafile /mosquitto/config/ca-cert.pem
+
+
+$ docker run --rm -it --init --net host -v $PWD/config:/mosquitto/config eclipse-mosquitto
+
+
+Konfigurieren Sie das CA und Client Zertifikat im Client und greifen per mTLS auf Mosquitto zu.
+
+$ docker run --rm -it --init --net host -v $PWD/config:/data eclipse-mosquitto \
+ mosquitto_pub --port 8883 -V 5 --qos 1 --topic freeforall --message "this is secure"  \
+ --cafile /data/ca-cert.pem --cert /data/client-cert.pem \
+ --key /data/client-key.pem --debug
+
+
+Erweitern Sie die Konfiguration mit `use_identity_as_username true`
+
+listener 1883
+listener_allow_anonymous true
+password_file /mosquitto/config/users.txt
+acl_file /mosquitto/config/acl.txt
+
+listener 8883
+listener_allow_anonymous false
+use_identity_as_username true
+certfile /mosquitto/config/server-cert.pem
+keyfile /mosquitto/config/server-key.pem
+require_certificate true
+cafile /mosquitto/config/ca-cert.pem