B4J Question [IoT] - security (explained)

[woniol]

Thanks to b4x and the power of its combined tools we are able to create apps that run on IOT devices like RaspberryPI, Intel Edison, PC, IOS and Android devices. We are able to use b4j web server for http communication, tcp, websockets and even mqtt.
We have very nice examples how to interact with gpio ports on the embded platforms and the examples of communication between devices.

It all fine If we try it as a proof of concept environment, but when one thinks of a real life usage of all those IOT devices, there is one problem with b4j.

We can’t really use secure connection in any of mentioned protocols.

Please correct me if I’m wrong.

I would like to ask for some examples how to make secure connections using https, wws, and mqtt with ssl support. I think it’s a very important aspect, if we want to create new things for IOT with b4x and use it in real word.

 

[Erel]

We can’t really use secure connection in any of mentioned protocols.

Why do you say that? That's not correct.

https://www.b4x.com/search?query=B4J+ssl

jServer supports https and wss.
MQTT also supports SSL connections. The embedded broker currently doesn't support it. However you can easily run one of the many available brokers instead.

 

[Erel]

BTW, you can see an online SSL example here: https://b4x.com:51041/

 

[woniol]

Why do you say that? That's not correct.

https://www.b4x.com/search?query=B4J ssl

jServer supports https and wss.
MQTT also supports SSL connections. The embedded broker currently doesn't support it. However you can easily run one of the many available brokers instead.

jServer supports https and wss, but is it possible to connect to it using android websocket client using ssl ?
Is it possible to configure jmqtt client to connect to for example mosquito using ssl?

If so, i would appreciate examples of such config.

 

[Erel]

Both Http and OkHttp libraries support https connections.
wss connections are supported by SecureWebSocket library: https://www.b4x.com/android/forum/threads/securewebsocket-client-library.45981/#content
I've just tested with the online server and it works.

Is it possible to configure jmqtt client to connect to for example mosquito using ssl?

Yes. There is nothing to configure. You just need to set the scheme to ssl instead of tcp.

 

[woniol]

Oh, I managed to connect to the cloud broker using ssl instead of tcp.
Does someone now how to configure local mosquito to make such a connection?

 

[woniol]

I made some config with help of this description
http://www.embedded101.com/Blogs/Pa...h-the-m2mqtt-library-and-the-mosquitto-broker

Looks, that mosquito works fine with this config, but i couldn't connect using jmqtt client.
I think there is a problem with self signed certificate.
As I know, this certicates are not supported by this lib https://www.b4x.com/android/forum/threads/jmqtt-official-android-mqtt-client.59497/#post-380212

Will i be possible to add such a support for jmqtt lib? https://www.b4x.com/android/forum/threads/mqtt-ssl-with-self-signed-certificates.62530/

 

[Erel]

You have started this thread with very strong (and incorrect) claims. I gave my answers above.

Please start a new thread for any question.

 

[woniol]

It wasn't my intention to claim about b4x.
I just wanted to point out that security is very important in IoT world, especially when it comes to controllig stuff.

I'm using b4x (b4a, b4j) for quite a long time - i write my whole house automation system in my free time (hobby),
thats why i'm very happy that b4x is evolving to IoT world, with lots of hardware support and code examples.

Last month I presented the idea of my system and what i made so far, to the company that installs alarm and home automation systems.
And the first question was, how secure is the connection between client (android b4a) and server (raspberrypi b4j).
At first the communication protocol i used in my system was websockets, now i'm trying to rewrite it to mqtt, and split the server into some separate components.

In fact i missed the b4j server feature to support https connections, because i don't use it in my solution.
I did some test on the metioned SecureWebSocket library: https://www.b4x.com/android/forum/threads/securewebsocket-client-library.45981/#content
but i had some problems with it mentioned in the linked thread, so i decided to keep using standard b4a websocket lib for the time of beta tests.

Now, with the power of b4x and it's mqtt support i decided to rewrite all communication stuff to thie protocol.
After some tests i decided to switch to ssl communication.

In fact my knowledge of all this cetification stuff is very poor, that's why i asked for some examples.

 

[b4auser1]

Below I placed my overview with SSL support by server and client libs in B4x.

jServer support https and wss with both kinds of certificates: trusted and self-signed:
MQTT Broker library doesn't support SSL.

All client libraries: OkHTTP, SecureWebSocket Client Library, MQTT libraries support SSL (https/wss), but there are issues with self-signed certificates.

I use the workaroud for OkHTTP from Erel: HttpUtils2Service.bas

#If Accept_selfsigned_certificates
    hc.InitializeAcceptAll("hc")
#Else   
    hc.Initialize("hc")
#End If

I read message:

daemon
Tried debugging a little bit, found that the WebSocket library uses SSLCertificateSocketFactory to create a socket, which seems to return a closed socket for such conditions:
https://github.com/palmerc/SecureWe...avendo/autobahn/WebSocketConnection.java#L484

From this message I understood that there is issue with self-signed certificates in the SecureWebSocket Client Library.

I don't know if there is SecureWebSocket Client Library for B4J, B4i.

I don't know if there are issues with self-signed certificates for MQTT client libraries.

Erel,
it would be great if you create a tutorial where provide B4x developers with consolidated information about SSL support for server and client libraries for all B4x platforms. Also tutorial should reflect if self-signed certificates are supported, and how to setup SSL support for all of cases.

 

[Erel]

B4i iWebSocket library supports wss connections.
B4J jWebSocketClient doesn't support wss connections (jetty client implementation which is the base of this library doesn't support it).

This thread was about security in production. Self signed certificates are not relevant for production usage. Specifically you shouldn't use hc.InitializeAcceptAll in production unless you are not worried about security.

Further questions should be posted in a new thread.