背景 #

我对TLS安全技术不熟悉，目前正在摸索ESP32-S3连接MQTT Broker的配置。已经成功实现两种连接：

• 通过TCP连接本地PC上的Eclipse Broker
• 使用eclipse.crt证书通过TLS连接远程Eclipse服务器

但在尝试连接客户提供的远程EMQX Broker时遇到了问题。

客户提供的文件 #

客户给了三个用于EMQX的文件：

• truststore.jks
• domain.pem
• broker.crt

同时提供了一个Python示例程序，仅使用broker.crt就能成功连接该EMQX Broker，我在PC上运行验证过确实可行。

我的基础连接代码 #

esp_mqtt_client_config_t mqtt5_cfg = {};

[Broker specific stuff goes here]

ESP_LOGW(TAG, "Connecting to Broker: %s", brokerAddress.c_str());
mqtt5_cfg.session.protocol_ver = MQTT_PROTOCOL_V_5;
mqtt5_cfg.session.keepalive = 120000;
mqtt5_cfg.session.message_retransmit_timeout = 1000; // MQTT_DEFAULT_RETRANSMIT_TIMEOUT_MS;
mqtt5_cfg.outbox.limit = 0; // No size limit
mqtt5_cfg.buffer.size = 20 * 1024; // default MQTT_BUFFER_SIZE_BYTE used for Incoming messages and Outgoing messages if out_size (below) = 0
mqtt5_cfg.buffer.out_size = 10 * 1024; // default MQTT_BUFFER_SIZE_BYTE used for Outgoing messages if > 0    
client = esp_mqtt_client_init(&mqtt5_cfg);

成功的连接配置示例 #

1. TCP连接本地Eclipse Broker #

brokerAddress = "192.168.1.2";
mqtt5_cfg.broker.address.hostname = brokerAddress.c_str();
mqtt5_cfg.broker.address.port = 1883;
mqtt5_cfg.broker.address.transport = MQTT_TRANSPORT_OVER_TCP;
mqtt5_cfg.credentials.username = "Name";
mqtt5_cfg.credentials.authentication.password = "Password";

运行日志：

W (15:04:32.936) aMQTT: Connecting to Broker: 192.168.1.2
W (15:04:32.982) aMQTT: Broker connected

2. TLS连接远程Eclipse服务器 #

brokerAddress = "mqtts://mqtt.eclipseprojects.io:8883";
mqtt5_cfg.broker.address.uri = brokerAddress.c_str();
mqtt5_cfg.broker.verification.certificate = (const char *)cert_pem_start;
mqtt5_cfg.credentials.username = "Name";
mqtt5_cfg.credentials.authentication.password = "Password";

运行日志：

W (15:07:29.076) aMQTT: Connecting to Broker: mqtts://mqtt.eclipseprojects.io:8883
W (15:07:31.007) aMQTT: Broker connected

失败的EMQX连接配置 #

1. 通过URI的TLS连接 #

brokerAddress = "mqtts://mqtt.xxxxxx.com:8883";
mqtt5_cfg.broker.address.uri = brokerAddress.c_str();
mqtt5_cfg.broker.verification.certificate = (const char *)broker_crt_start;
mqtt5_cfg.credentials.username = "Name";
mqtt5_cfg.credentials.authentication.password = "Password";

错误日志：

W (15:24:12.866) aMQTT: Connecting to Broker: mqtts://mqtt.xxxxxxcom:8883
E (15:24:14.113) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x2700
E (15:24:14.116) esp-tls: Failed to open new connection
E (15:24:14.117) transport_base: Failed to open a new connection
E (15:24:14.121) mqtt_client: Error transport connect
E (15:24:14.123) aMQTT: MQTT_EVENT_ERROR
E (15:24:14.123) aMQTT: MQTT5 return code is 0
E (15:24:14.124) aMQTT: Last error reported from esp-tls: 0x801a
E (15:24:14.126) aMQTT: Last error reported from tls stack: 0x2700
E (15:24:14.127) aMQTT: Last errno string (Success)
W (15:24:14.129) aMQTT: Broker disconnected

2. 通过主机名+端口的TLS连接 #

brokerAddress = "mqtt.xxxxxx.com";
mqtt5_cfg.broker.address.hostname = brokerAddress.c_str();
mqtt5_cfg.broker.address.port = 8883;
mqtt5_cfg.broker.address.transport = MQTT_TRANSPORT_OVER_SSL;
mqtt5_cfg.broker.verification.certificate = (const char *)broker_crt_start;
mqtt5_cfg.credentials.username = "Name";
mqtt5_cfg.credentials.authentication.password = "Password";

错误日志：

W (15:31:08.894) aMQTT: Connecting to Broker: mqtt.xxxxxx.com
E (15:31:10.929) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x2700
I (15:31:10.931) esp-tls-mbedtls: Failed to verify peer certificate!
E (15:31:10.932) esp-tls: Failed to open new connection
E (15:31:10.933) transport_base: Failed to open a new connection
E (15:31:10.936) mqtt_client: Error transport connect
E (15:31:10.938) aMQTT: MQTT_EVENT_ERROR
E (15:31:10.939) aMQTT: MQTT5 return code is 0
E (15:31:10.940) aMQTT: Last error reported from esp-tls: 0x801a
E (15:31:10.941) aMQTT: Last error reported from tls stack: 0x2700
E (15:31:10.942) aMQTT: Last errno string (Success)
W (15:31:10.944) aMQTT: Broker disconnected

疑问 #

目前我只在ESP32代码里使用了broker.crt，不清楚是否需要用到另外两个文件（truststore.jks、domain.pem）？如果需要的话，应该怎么配置到ESP32的MQTT连接参数里？

内容的提问来源于stack exchange，提问作者ADL