Merge pull request #67 from GeekyTim/master

Updated mqtt.py to use TLS.
jim-easterbrook · Aug 22, 2018 · a30d9b7 · a30d9b7
2 parents b8bedb4 + daf0047
commit a30d9b7
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 3 deletions.
diff --git a/src/contributors/contributors.txt b/src/contributors/contributors.txt
@@ -14,6 +14,7 @@ Markus Birth                    markus@birth-online.de
 Chris Ramsay                    chris@ramsay-family.net
 Christian Benke                 benkokakao@gmail.com
 Ian Wilkinson                   null@sgtwilko.f9.co.uk
+Tim Richardson                  tim@potton.me.uk
 
 Translators
 -----------

diff --git a/src/pywws/service/mqtt.py b/src/pywws/service/mqtt.py
@@ -32,8 +32,10 @@
     port = 1883
     client_id = pywws
     retain = False
-    user = 
-    password = 
+    user =
+    password =
+    tls_cert = /home/pi/pywws/ca_cert/mqtt_ca.crt
+    tls_ver = 2
     multi_topic = False
     template_txt = ('\\n'
             '#idx          \\'"idx"         : "%Y-%m-%d %H:%M:%S",\\'#\\n'
@@ -72,6 +74,16 @@
 
 ``user`` and ``password`` can be used for MQTT authentication.
 
+``tls_cert`` and ``tls_ver`` are used for MQTT TLS security.  Set tls_cert
+ as the path to a CA certificate (e.g. tls_cert = /home/pi/pywws/ca_cert/mqtt_ca.crt)
+ and tls_ver to the TLS version (e.g. tls_ver = 2) (TLS1.2 recommended).
+ See https://mosquitto.org/man/mosquitto-tls-7.html for information on how to
+ generate certificates.  Only copy the ca.crt to your pywws client.
+ See http://www.steves-internet-guide.com/mosquitto-tls/ for a step-by-step guide
+ to securing your MQTT server.
+ Note that secure MQTTS usually uses port 8883, so you will need to also
+ change the port number.
+
 ``multi_topic`` is a boolean and should be set to ``True`` or ``False``.
 If set to ``True`` pywws will also publish all the data each as separate
 subtopics of the configured ``topic``; e.g., with the ``topic`` set to
@@ -157,6 +169,8 @@ def __init__(self, context):
                 service_name, 'retain', 'False')),
             'user'       : context.params.get(service_name, 'user', ''),
             'password'   : context.params.get(service_name, 'password', ''),
+            'tls_cert'   : context.params.get(service_name, 'tls_cert', ''),
+            'tls_ver'    : eval(context.params.get(service_name, 'tls_ver', '1')),
             'multi_topic': eval(context.params.get(
                 service_name, 'multi_topic', 'False')),
             }
@@ -179,6 +193,10 @@ def session(self):
             session.username_pw_set(self.params['user'])
         logger.debug(('connecting to host {hostname:s}:{port:d} '
                       'with client_id "{client_id:s}"').format(**self.params))
+
+        if self.params['tls_cert']:
+            session.tls_set(self.params['tls_cert'], tls_version=self.params['tls_ver'])
+
         session.connect(self.params['hostname'], self.params['port'])
         try:
             yield session
@@ -207,7 +225,7 @@ def upload_data(self, session, prepared_data={}, live=False):
                     return False, str(ex)
             # Need to make sure the messages have been flushed to the
             # server.
-            session.loop(timeout=0.5) 
+            session.loop(timeout=0.5)
         return True, 'OK'