Skip to content

feat: Add TLS encryption to MQTT bridge for secure connection to base station #537

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
char1ss4 wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

feat: Add TLS encryption to MQTT bridge for secure connection to base station #537

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
113 changes: 113 additions & 0 deletions secure_mqtt.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
diff --git a/compose/compose.brick.yml b/compose/compose.brick.yml
index 007ef16..f7c2537 100644
--- a/compose/compose.brick.yml
+++ b/compose/compose.brick.yml
Comment on lines +1 to +4
Copy link

Copilot AI Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This patch file references paths that don't exist in the current repo (e.g., compose/compose.*.yml and siren-base/compose.siren.yml), so it won’t apply cleanly and is likely to become stale. Consider removing it from version control (or moving it to external documentation/issue notes) unless it’s kept in sync with the current file layout and validated with git apply.

Copilot uses AI. Check for mistakes.
@@ -1,6 +1,6 @@
services:
scylla-server:
environment:
- - SCYLLA_SIREN_HOST_URL=192.168.100.11:1883
+ - SCYLLA_SIREN_HOST_URL=192.168.100.11:8883
- SCYLLA_RATE_LIMIT_MODE=none

diff --git a/compose/compose.calypso.yml b/compose/compose.calypso.yml
index c27b441..75df348 100644
--- a/compose/compose.calypso.yml
+++ b/compose/compose.calypso.yml
@@ -8,4 +8,4 @@ services:
#- CALYPSO_CAN_ENCODE=false
#- CALYPSO_SOCKETCAN_IFACE=vcan0
# in sim or prod mode
- - CALYPSO_SIREN_HOST_URL=siren:1883
+ - CALYPSO_SIREN_HOST_URL=siren:8883
diff --git a/compose/compose.client-dev.yml b/compose/compose.client-dev.yml
index 9b4c46c..875434d 100644
--- a/compose/compose.client-dev.yml
+++ b/compose/compose.client-dev.yml
@@ -1,7 +1,7 @@
services:
scylla-server:
environment:
- - SCYLLA_SIREN_HOST_URL=siren:1883
+ - SCYLLA_SIREN_HOST_URL=siren:8883

siren:
extends:
diff --git a/compose/compose.router.yml b/compose/compose.router.yml
index 9a660e0..06be21f 100644
--- a/compose/compose.router.yml
+++ b/compose/compose.router.yml
@@ -3,7 +3,7 @@ services:
depends_on:
- siren
environment:
- - SCYLLA_SIREN_HOST_URL=siren:1883
+ - SCYLLA_SIREN_HOST_URL=siren:8883
- SCYLLA_BATCH_UPSERT_TIME=20
init: false

diff --git a/compose/compose.tpu.yml b/compose/compose.tpu.yml
index 88ea321..6dda3c2 100644
--- a/compose/compose.tpu.yml
+++ b/compose/compose.tpu.yml
@@ -1,7 +1,7 @@
services:
scylla-server:
environment:
- - SCYLLA_SIREN_HOST_URL=host.docker.internal:1883
+ - SCYLLA_SIREN_HOST_URL=host.docker.internal:8883
- SCYLLA_RATE_LIMIT_MODE=static
- SCYLLA_STATIC_RATE_LIMIT_VALUE=100
extra_hosts:
diff --git a/scylla-server/src/main.rs b/scylla-server/src/main.rs
index d51d3fc..033dd06 100755
--- a/scylla-server/src/main.rs
+++ b/scylla-server/src/main.rs
@@ -77,7 +77,7 @@ struct ScyllaArgs {
short = 'u',
long,
env = "SCYLLA_SIREN_HOST_URL",
- default_value = "localhost:1883"
+ default_value = "localhost:8883"
)]
siren_host_url: String,

diff --git a/siren-base/compose.siren.yml b/siren-base/compose.siren.yml
index 3e4e4c6..4d97b46 100644
--- a/siren-base/compose.siren.yml
+++ b/siren-base/compose.siren.yml
@@ -4,10 +4,10 @@ services:
restart: unless-stopped
image: eclipse-mosquitto:latest
ports:
- - 1883:1883
+ - 8883:8883
- 9002:9001 # win conflict on 9001
expose:
- - 1883
+ - 8883
volumes:
- ./mosquitto/mosquitto.conf:/mosquitto/config/mosquitto.conf
cpu_shares: 2048
diff --git a/siren-base/mosquitto/mosquitto.conf b/siren-base/mosquitto/mosquitto.conf
index 19deeea..f691d2e 100755
--- a/siren-base/mosquitto/mosquitto.conf
+++ b/siren-base/mosquitto/mosquitto.conf
@@ -49,7 +49,7 @@ queue_qos0_messages false
# Listeners
# =================================================================

-listener 1883
+listener 8883

socket_domain ipv4

@@ -176,7 +176,7 @@ allow_anonymous true
connection tpu
# *** tpu ip
# *** diff from tpu
-address 192.168.100.12
+address 192.168.100.12:8883
# *** diff from tpu (needed as topic key required)
topic reserved out 2 dummy dummyremote

2 changes: 2 additions & 0 deletions siren-base/mosquitto/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
*.key
*.crt
255 changes: 255 additions & 0 deletions siren-base/mosquitto/mosquitto.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,255 @@
# See mosquitto.conf for comments and info. https://mosquitto.org/man/mosquitto-conf-5.html
# All options here uncommented were changed, commented are the defaults being noted.
# Note that comments cannot be on the same line as uncommented keys (ie # only respected at line position 0)
# # *** ^^^

max_topic_alias 65534

#per_listener_settings false

allow_zero_length_clientid false

#auto_id_prefix auto-

check_retain_source false

#max_inflight_bytes 0

#max_inflight_messages 20

#max_keepalive 65535

#max_packet_size 0

#max_queued_bytes 0

max_queued_messages 0

#memory_limit 0

#message_size_limit 0

persistent_client_expiration 14d

#pid_file

queue_qos0_messages false

#retain_available true

#set_tcp_nodelay false

#sys_interval 10

#upgrade_outgoing_qos false

#user mosquitto

# =================================================================
# Listeners
# =================================================================

listener 1883

socket_domain ipv4

#bind_interface

#http_dir

#max_connections -1

#mount_point

#protocol mqtt

#use_username_as_clientid

#websockets_headers_size

# -----------------------------------------------------------------
# Certificate based SSL/TLS support
# -----------------------------------------------------------------

#certfile

#keyfile

#ciphers

#ciphers_tls1.3

#crlfile

#dhparamfile

#require_certificate false

#cafile
#capath

#use_identity_as_username false

# -----------------------------------------------------------------
# Pre-shared-key based SSL/TLS support
# -----------------------------------------------------------------

#psk_hint

#ciphers

#use_identity_as_username false


# =================================================================
# Persistence
# =================================================================

autosave_interval 30

#autosave_on_changes false

# *** diff from tpu
persistence true

#persistence_file mosquitto.db

# *** diff from tpu
persistence_location /mosquitto/data


# =================================================================
# Logging
# =================================================================
# *** diff from tpu (for docker)
log_dest stdout

log_type error
log_type warning
log_type notice
log_type information
log_type subscribe
log_type unsubscribe
#log_type information

connection_messages true

log_timestamp true

#log_timestamp_format

#websockets_log_level 0


# =================================================================
# Security
# =================================================================

#clientid_prefixes

allow_anonymous true

# -----------------------------------------------------------------
# Default authentication and topic access control
# -----------------------------------------------------------------

#password_file
Comment on lines +150 to +156
Copy link

Copilot AI Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The MQTT broker is configured with allow_anonymous true, which means any client that can reach this listener can connect, subscribe, and publish without authentication. If port 1883 is exposed on the host or network (as suggested by the accompanying compose configuration), an attacker on the network could inject or read MQTT messages destined for the car, potentially controlling or monitoring vehicle functions. Consider disabling anonymous access and requiring authentication and/or mutual TLS for this listener, or strictly binding it to a trusted interface/network segment so that only trusted services can connect.

Suggested change
allow_anonymous true
# -----------------------------------------------------------------
# Default authentication and topic access control
# -----------------------------------------------------------------
#password_file
allow_anonymous false
# -----------------------------------------------------------------
# Default authentication and topic access control
# -----------------------------------------------------------------
password_file /mosquitto/config/passwordfile

Copilot uses AI. Check for mistakes.

#psk_file

#acl_file

# *** diff from tpu
#plugin /usr/lib/mosquitto/mosquitto_message_timestamp.so

# plugin_opt_db_host
# plugin_opt_db_port
# plugin_opt_db_username
# plugin_opt_db_password


# =================================================================
# Bridges
# =================================================================

# *** diff from tpu
connection tpu
# *** tpu ip
# *** diff from tpu
address 192.168.100.12:8883
# *** diff from tpu (needed as topic key required)
topic reserved out 2 dummy dummyremote


#bridge_bind_address

#bridge_attempt_unsubscribe true

bridge_protocol_version mqttv50

#cleansession false

#idle_timeout 60

#keepalive_interval 60

#local_clientid

notifications true

#notification_topic

# *** diff from tpu
remote_clientid base_station

#remote_password

#remote_username

restart_timeout 5

#round_robin false

#start_type automatic

#threshold 10

#try_private true

#bridge_outgoing_retain true

#bridge_max_packet_size 0


# -----------------------------------------------------------------
# Certificate based SSL/TLS support
# -----------------------------------------------------------------

bridge_cafile /mosquitto/config/ca.crt
#bridge_capath

#bridge_alpn

bridge_insecure false

bridge_certfile /mosquitto/config/base-station-broker.crt

bridge_keyfile /mosquitto/config/base-station-broker.key

bridge_tls_version tlsv1.2

# -----------------------------------------------------------------
# PSK based SSL/TLS support
# -----------------------------------------------------------------

#bridge_identity
#bridge_psk


# =================================================================
# External config files
# =================================================================

#include_dir

max_qos 2 # *** moved to bottom see bug https://github.com/eclipse/mosquitto/issues/2991
Copy link

Copilot AI Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

max_qos 2 has an inline comment. Mosquitto only treats # as a comment when it starts the line, so this will be parsed as part of the value and can prevent the broker from starting. Move the comment onto its own line above (or make the whole line a comment) so the directive is just max_qos 2.

Suggested change
max_qos 2 # *** moved to bottom see bug https://github.com/eclipse/mosquitto/issues/2991
# *** moved to bottom see bug https://github.com/eclipse/mosquitto/issues/2991
max_qos 2

Copilot uses AI. Check for mistakes.