3

My IoT device creates a BLE connection with a smartphone from which it connects to cloud. When integrating a TLS, should it be above MQTT or below? All implementation I have reviewed so far does it below MQTT layer.

Above:

TLS handshake and record message are put into MQTT payload and send over BLE to phone which would then forward it through TCP/IP to the cloud. The smartphone is just forwarding MQTT packet , and not aware of its content.

Below:

First TLS session is establish between device and cloud. First approach is to have the device create a IP packet and send it over BLE to smartphone to be forwarded to cloud. Only when TLS is established, then start sending MQTT over this TLS session. As I review the literature, this is more common approach. But this would add some more code to handle creating IP packet.

anonymous2
  • 4,902
  • 3
  • 22
  • 49
RealTimeEngineer91
  • 31
  • 2

1 Answers1

1

You would never run a TLS session tunnelled over MQTT. TLS connections expect a single bi-directional pipe over which to communicate, while it is possible to build this over MQTT, it is better suited to 1 to N* subscriber published data.

*(Where N can be 0 to infinity)

Just run MQTT over TLS as pretty much all MQTT broker already support this out of the box. If you want to also encrypt the payload as well then that is entirely up to you (if you are using a shared broker that doesn't support topic level ACLs to prevent other users from subscribing to your topics).

Secondly, do not try and run a end to end MQTT session from the device via the phone to the cloud. Set the MQTT connection up from the phone and just forward the data over BLE. BLE has built in encryption, but you can always encrypt the data before it's sent to the phone (a variation on the option described in the last paragraph)

hardillb
  • 12,813
  • 1
  • 21
  • 34