In our Ubidots security guide, we explained why encryption is important for IoT and how we support two main methods for data encryption: SSL for HTTP communications, and TLS for MQTT.
MQTT is a lightweight publish/subscribe messaging transport optimized for IoT that supports TLS encryption. TLS (Transport Layer Security) provides a secure communication channel between a client and a server. Just like SSL, TLS is a cryptographic protocol that uses a handshake mechanism to create a secure connection between the client and the server. After the handshake is completed, an encrypted communication between client and server is established and no attacker could understand the content of the communication.
In this guide, we'll see how to publish MQTT messages using TLS encryption.
1. Retrieve our SSL certificate
Unlike unencrypted MQTT traffic, a TLS-powered client will need a certificate stored on its side. So let's start by storing that certificate locally by creating a new text file and entering the text below:
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
Then save it and give it any name, in this case "industrial.pem":
2. Install MQTT Paho
Paho is a popular MQTT client for Python, which has worked pretty well for us. You can install it using pip:
pip install paho-mqtt==1.3
For troubleshooting, or just to learn more, check out paho-mqtt page.
3. Create a Python script
Open a fresh Python file and copy the code below. Please note that:
The MQTT broker port is 8883, instead of 1883.
TLSv1.1 and TLSv1.2 are supported (in Python: ssl.PROTOCOL_TLSv1_1 and ssl.PROTOCOL_TLSv1_2).
This is a publish example, but it should work for subscribe as well. Just specify the TLS configuration before the "connect" line.
You should replace the var TLS_CERT_PATH with the path where you stored the above file with the certificate.
You should replace the MQTT_USERNAME with your own Ubidots account token.
'''
Sends data to Ubidots using MQTT over TLS
Example provided by Jose Garcia @Ubidots Developer
'''
import paho.mqtt.client as mqttClient
import time
import json
import ssl
'''
global variables
'''
connected = False # Stores the connection status
BROKER_ENDPOINT = "industrial.api.ubidots.com"
TLS_PORT = 8883 # Secure port
MQTT_USERNAME = "" # Put here your Ubidots TOKEN
MQTT_PASSWORD = "" # Leave this in blank
TOPIC = "/v1.6/devices/"
DEVICE_LABEL = "truck"
TLS_CERT_PATH = "/path/to/industrial.pem" # Put here the path of your TLS cert
'''
Functions to process incoming and outgoing streaming
'''
def on_connect(client, userdata, flags, rc):
global connected # Use global variable
if rc == 0:
print("[INFO] Connected to broker")
connected = True # Signal connection
else:
print("[INFO] Error, connection failed")
def on_publish(client, userdata, result):
print("Published!")
def connect(mqtt_client, mqtt_username, mqtt_password, broker_endpoint, port):
global connected
if not connected:
mqtt_client.username_pw_set(mqtt_username, password=mqtt_password)
mqtt_client.on_connect = on_connect
mqtt_client.on_publish = on_publish
mqtt_client.tls_set(ca_certs=TLS_CERT_PATH, certfile=None,
keyfile=None, cert_reqs=ssl.CERT_REQUIRED,
tls_version=ssl.PROTOCOL_TLSv1_2, ciphers=None)
mqtt_client.tls_insecure_set(False)
mqtt_client.connect(broker_endpoint, port=port)
mqtt_client.loop_start()
attempts = 0
while not connected and attempts < 5: # Wait for connection
print(connected)
print("Attempting to connect...")
time.sleep(1)
attempts += 1
if not connected:
print("[ERROR] Could not connect to broker")
return False
return True
def publish(mqtt_client, topic, payload):
try:
mqtt_client.publish(topic, payload)
except Exception as e:
print("[ERROR] Could not publish data, error: {}".format(e))
def main(mqtt_client):
payload = json.dumps({"tls_publish_test": 20})
topic = "{}{}".format(TOPIC, DEVICE_LABEL)
if not connect(mqtt_client, MQTT_USERNAME,
MQTT_PASSWORD, BROKER_ENDPOINT, TLS_PORT):
return False
publish(mqtt_client, topic, payload)
return True
if __name__ == '__main__':
mqtt_client = mqttClient.Client()
while True:
main(mqtt_client)
time.sleep(10)
This script will send the value "20", every 10 seconds, to a device called "mqtt" inside your Ubidots account. When running the code:
python publish_singlevalue_tls.py
... You should get something like this:
Connecting...
Connected to broker
{"tls_publish_test": 20}
Published!
This example was written in Python, but any programming language supporting MQTT+TLS should offer an option to include an SSL certificate. We hope this was helpful and feel free to contact your account executive for further support.