Page 1 of 1

eDomoticz MQTT and TLS?

Posted: Sunday 26 February 2017 18:02
by drbrains
I have been using the eDomoticz plugin and I love how I can talk to Siri or jus use the iOS 10 Home app out-of-the-box with Domoticz.

I am upgrading my own devices and adding security in the process. One feature I would love to see is adding TLS to the MQTT communication as we already have SSL to Domoticz. Could this be added even with "just" TLS Fingerprinting.

Keep up this great project!

Re: eDomoticz MQTT and TLS?

Posted: Sunday 26 February 2017 20:08
by SweetPants
There was an attempt to implement MQTT TLS a while ago, but it broke the whole MQTT implementation so it was reverted. If you want you can try ti implement it yourself https://github.com/eclipse/mosquitto

Re: eDomoticz MQTT and TLS?

Posted: Monday 27 February 2017 6:13
by drbrains
implement it myself ;) Okay, I will have a look, but JavaScript is not my language, but I should be able to sort of follow the code. Keep you adviced of any progress

Re: eDomoticz MQTT and TLS?

Posted: Monday 27 February 2017 11:04
by drbrains
Need help getting the CA path from Domoticz. Could someone point me in the right direction:

Index.JS is getting information from Domomoticz: mqttHardware.Port, mqttHardwatre.Username. But I can't find the reference for the CA Filename (certificate path).

Re: eDomoticz MQTT and TLS?

Posted: Tuesday 28 February 2017 16:48
by drbrains
Progress: doing "dirty" patch just to the MQTT.js I can connect with to port 8883 with TLS using the same CA.crt as I am using for Domoticz. Using different user/password to see the difference in my mosquito.log

Now I need an answer to my previous question and see if I can make it automatic switch between non secure and TLS based on CA setting in Domoticz.

Re: eDomoticz MQTT and TLS?

Posted: Thursday 02 March 2017 7:09
by drbrains
Nevermind: I found it myself. Why easier then I expected.

I am having it automatically using the CA certificate from Domoticz if it is defined or I can use an additional parameter: "cacert" in the config.json if provided. Where/How do I upload my new code so someone could have a look at it and maybe even implement it in a new release ??

Using the CA.crt as Domoticz does is not the best way (should be using client certificates), but at least now all the MQTT messages can be encrypted. For the Domoticz to MQTT and the Homebridge plugin it is not so relevant since most users will run in on their own local broker most likely on the same device so all communication is to localhost (127.0.0.1). But my other (EPS8266) devices can now send TLS encrypted messages over WiFi without me having to open the standard unsecure (1883) port.

Re: eDomoticz MQTT and TLS?

Posted: Thursday 02 March 2017 9:20
by SweetPants
PM GizMoCuZ, maybe he is willing to help you create a pull request and get your code in.