From 5e341af5d9310610e8dbd0913758e14eedbc37be Mon Sep 17 00:00:00 2001 From: char1ss4 Date: Wed, 25 Feb 2026 15:55:07 -0500 Subject: [PATCH 1/4] feat: Add TLS encryption to MQTT bridge for secure connection to car --- secure_mqtt.patch | 113 ++++++++++++ siren-base/mosquitto/.gitignore | 2 + siren-base/mosquitto/mosquitto.conf | 255 ++++++++++++++++++++++++++++ 3 files changed, 370 insertions(+) create mode 100644 secure_mqtt.patch create mode 100644 siren-base/mosquitto/.gitignore create mode 100644 siren-base/mosquitto/mosquitto.conf diff --git a/secure_mqtt.patch b/secure_mqtt.patch new file mode 100644 index 00000000..3239ce21 --- /dev/null +++ b/secure_mqtt.patch @@ -0,0 +1,113 @@ +diff --git a/compose/compose.brick.yml b/compose/compose.brick.yml +index 007ef16..f7c2537 100644 +--- a/compose/compose.brick.yml ++++ b/compose/compose.brick.yml +@@ -1,6 +1,6 @@ + services: + scylla-server: + environment: +- - SCYLLA_SIREN_HOST_URL=192.168.100.11:1883 ++ - SCYLLA_SIREN_HOST_URL=192.168.100.11:8883 + - SCYLLA_RATE_LIMIT_MODE=none + +diff --git a/compose/compose.calypso.yml b/compose/compose.calypso.yml +index c27b441..75df348 100644 +--- a/compose/compose.calypso.yml ++++ b/compose/compose.calypso.yml +@@ -8,4 +8,4 @@ services: + #- CALYPSO_CAN_ENCODE=false + #- CALYPSO_SOCKETCAN_IFACE=vcan0 + # in sim or prod mode +- - CALYPSO_SIREN_HOST_URL=siren:1883 ++ - CALYPSO_SIREN_HOST_URL=siren:8883 +diff --git a/compose/compose.client-dev.yml b/compose/compose.client-dev.yml +index 9b4c46c..875434d 100644 +--- a/compose/compose.client-dev.yml ++++ b/compose/compose.client-dev.yml +@@ -1,7 +1,7 @@ + services: + scylla-server: + environment: +- - SCYLLA_SIREN_HOST_URL=siren:1883 ++ - SCYLLA_SIREN_HOST_URL=siren:8883 + + siren: + extends: +diff --git a/compose/compose.router.yml b/compose/compose.router.yml +index 9a660e0..06be21f 100644 +--- a/compose/compose.router.yml ++++ b/compose/compose.router.yml +@@ -3,7 +3,7 @@ services: + depends_on: + - siren + environment: +- - SCYLLA_SIREN_HOST_URL=siren:1883 ++ - SCYLLA_SIREN_HOST_URL=siren:8883 + - SCYLLA_BATCH_UPSERT_TIME=20 + init: false + +diff --git a/compose/compose.tpu.yml b/compose/compose.tpu.yml +index 88ea321..6dda3c2 100644 +--- a/compose/compose.tpu.yml ++++ b/compose/compose.tpu.yml +@@ -1,7 +1,7 @@ + services: + scylla-server: + environment: +- - SCYLLA_SIREN_HOST_URL=host.docker.internal:1883 ++ - SCYLLA_SIREN_HOST_URL=host.docker.internal:8883 + - SCYLLA_RATE_LIMIT_MODE=static + - SCYLLA_STATIC_RATE_LIMIT_VALUE=100 + extra_hosts: +diff --git a/scylla-server/src/main.rs b/scylla-server/src/main.rs +index d51d3fc..033dd06 100755 +--- a/scylla-server/src/main.rs ++++ b/scylla-server/src/main.rs +@@ -77,7 +77,7 @@ struct ScyllaArgs { + short = 'u', + long, + env = "SCYLLA_SIREN_HOST_URL", +- default_value = "localhost:1883" ++ default_value = "localhost:8883" + )] + siren_host_url: String, + +diff --git a/siren-base/compose.siren.yml b/siren-base/compose.siren.yml +index 3e4e4c6..4d97b46 100644 +--- a/siren-base/compose.siren.yml ++++ b/siren-base/compose.siren.yml +@@ -4,10 +4,10 @@ services: + restart: unless-stopped + image: eclipse-mosquitto:latest + ports: +- - 1883:1883 ++ - 8883:8883 + - 9002:9001 # win conflict on 9001 + expose: +- - 1883 ++ - 8883 + volumes: + - ./mosquitto/mosquitto.conf:/mosquitto/config/mosquitto.conf + cpu_shares: 2048 +diff --git a/siren-base/mosquitto/mosquitto.conf b/siren-base/mosquitto/mosquitto.conf +index 19deeea..f691d2e 100755 +--- a/siren-base/mosquitto/mosquitto.conf ++++ b/siren-base/mosquitto/mosquitto.conf +@@ -49,7 +49,7 @@ queue_qos0_messages false + # Listeners + # ================================================================= + +-listener 1883 ++listener 8883 + + socket_domain ipv4 + +@@ -176,7 +176,7 @@ allow_anonymous true + connection tpu + # *** tpu ip + # *** diff from tpu +-address 192.168.100.12 ++address 192.168.100.12:8883 + # *** diff from tpu (needed as topic key required) + topic reserved out 2 dummy dummyremote + diff --git a/siren-base/mosquitto/.gitignore b/siren-base/mosquitto/.gitignore new file mode 100644 index 00000000..275ece24 --- /dev/null +++ b/siren-base/mosquitto/.gitignore @@ -0,0 +1,2 @@ +*.key +*.crt diff --git a/siren-base/mosquitto/mosquitto.conf b/siren-base/mosquitto/mosquitto.conf new file mode 100644 index 00000000..19bf51ec --- /dev/null +++ b/siren-base/mosquitto/mosquitto.conf @@ -0,0 +1,255 @@ +# See mosquitto.conf for comments and info. https://mosquitto.org/man/mosquitto-conf-5.html +# All options here uncommented were changed, commented are the defaults being noted. +# Note that comments cannot be on the same line as uncommented keys (ie # only respected at line position 0) +# # *** ^^^ + +max_topic_alias 65534 + +#per_listener_settings false + +allow_zero_length_clientid false + +#auto_id_prefix auto- + +check_retain_source false + +#max_inflight_bytes 0 + +#max_inflight_messages 20 + +#max_keepalive 65535 + +#max_packet_size 0 + +#max_queued_bytes 0 + +max_queued_messages 0 + +#memory_limit 0 + +#message_size_limit 0 + +persistent_client_expiration 14d + +#pid_file + +queue_qos0_messages false + +#retain_available true + +#set_tcp_nodelay false + +#sys_interval 10 + +#upgrade_outgoing_qos false + +#user mosquitto + +# ================================================================= +# Listeners +# ================================================================= + +listener 1883 + +socket_domain ipv4 + +#bind_interface + +#http_dir + +#max_connections -1 + +#mount_point + +#protocol mqtt + +#use_username_as_clientid + +#websockets_headers_size + +# ----------------------------------------------------------------- +# Certificate based SSL/TLS support +# ----------------------------------------------------------------- + +#certfile + +#keyfile + +#ciphers + +#ciphers_tls1.3 + +#crlfile + +#dhparamfile + +#require_certificate false + +#cafile +#capath + +#use_identity_as_username false + +# ----------------------------------------------------------------- +# Pre-shared-key based SSL/TLS support +# ----------------------------------------------------------------- + +#psk_hint + +#ciphers + +#use_identity_as_username false + + +# ================================================================= +# Persistence +# ================================================================= + +autosave_interval 30 + +#autosave_on_changes false + +# *** diff from tpu +persistence true + +#persistence_file mosquitto.db + +# *** diff from tpu +persistence_location /mosquitto/data + + +# ================================================================= +# Logging +# ================================================================= +# *** diff from tpu (for docker) +log_dest stdout + +log_type error +log_type warning +log_type notice +log_type information +log_type subscribe +log_type unsubscribe +#log_type information + +connection_messages true + +log_timestamp true + +#log_timestamp_format + +#websockets_log_level 0 + + +# ================================================================= +# Security +# ================================================================= + +#clientid_prefixes + +allow_anonymous true + +# ----------------------------------------------------------------- +# Default authentication and topic access control +# ----------------------------------------------------------------- + +#password_file + +#psk_file + +#acl_file + +# *** diff from tpu +#plugin /usr/lib/mosquitto/mosquitto_message_timestamp.so + +# plugin_opt_db_host +# plugin_opt_db_port +# plugin_opt_db_username +# plugin_opt_db_password + + +# ================================================================= +# Bridges +# ================================================================= + +# *** diff from tpu +connection tpu +# *** tpu ip +# *** diff from tpu +address 192.168.100.12:8883 +# *** diff from tpu (needed as topic key required) +topic reserved out 2 dummy dummyremote + + +#bridge_bind_address + +#bridge_attempt_unsubscribe true + +bridge_protocol_version mqttv50 + +#cleansession false + +#idle_timeout 60 + +#keepalive_interval 60 + +#local_clientid + +notifications true + +#notification_topic + +# *** diff from tpu +remote_clientid base_station + +#remote_password + +#remote_username + +restart_timeout 5 + +#round_robin false + +#start_type automatic + +#threshold 10 + +#try_private true + +#bridge_outgoing_retain true + +#bridge_max_packet_size 0 + + +# ----------------------------------------------------------------- +# Certificate based SSL/TLS support +# ----------------------------------------------------------------- + +bridge_cafile /mosquitto/config/ca.crt +#bridge_capath + +#bridge_alpn + +bridge_insecure false + +bridge_certfile /mosquitto/config/base-station-broker.crt + +bridge_keyfile /mosquitto/config/base-station-broker.key + +bridge_tls_version tlsv1.2 + +# ----------------------------------------------------------------- +# PSK based SSL/TLS support +# ----------------------------------------------------------------- + +#bridge_identity +#bridge_psk + + +# ================================================================= +# External config files +# ================================================================= + +#include_dir + +max_qos 2 # *** moved to bottom see bug https://github.com/eclipse/mosquitto/issues/2991 From 25dc2ebd2df9619e3c5ec4a875b3b6102e6064dd Mon Sep 17 00:00:00 2001 From: char1ss4 Date: Thu, 12 Mar 2026 11:29:10 -0400 Subject: [PATCH 2/4] fix: restore dropped settings and fix inline comment in moquitto.conf --- siren-base/mosquitto/mosquitto.conf | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/siren-base/mosquitto/mosquitto.conf b/siren-base/mosquitto/mosquitto.conf index 19bf51ec..b1612e3d 100644 --- a/siren-base/mosquitto/mosquitto.conf +++ b/siren-base/mosquitto/mosquitto.conf @@ -3,7 +3,8 @@ # Note that comments cannot be on the same line as uncommented keys (ie # only respected at line position 0) # # *** ^^^ -max_topic_alias 65534 +max_topic_alias 0 +max_topic_alias_broker 0 #per_listener_settings false @@ -187,6 +188,8 @@ topic reserved out 2 dummy dummyremote bridge_protocol_version mqttv50 +bridge_max_topic_alias 0 + #cleansession false #idle_timeout 60 @@ -252,4 +255,5 @@ bridge_tls_version tlsv1.2 #include_dir -max_qos 2 # *** moved to bottom see bug https://github.com/eclipse/mosquitto/issues/2991 +# *** moved to bottom see bug https://github.com/eclipse/mosquitto/issues/2991 +max_qos 2 From 3ef1f10b8c3ba4d404ce89db9c4d641f59489775 Mon Sep 17 00:00:00 2001 From: char1ss4 Date: Thu, 12 Mar 2026 12:55:44 -0400 Subject: [PATCH 3/4] fix: add cert volume mounts to compose.siren.yml for TLS bridge --- siren-base/compose.siren.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 siren-base/compose.siren.yml diff --git a/siren-base/compose.siren.yml b/siren-base/compose.siren.yml new file mode 100644 index 00000000..54b87366 --- /dev/null +++ b/siren-base/compose.siren.yml @@ -0,0 +1,17 @@ +services: + siren: + container_name: siren + restart: unless-stopped + image: eclipse-mosquitto:latest + ports: + - 1883:1883 + - 9002:9001 # win conflict on 9001 + expose: + - 1883 + volumes: + - ./mosquitto/mosquitto.conf:/mosquitto/config/mosquitto.conf + - ./mosquitto/certs/ca.crt:/mosquitto/config/certs/ca.crt:ro + - ./mosquitto/certs/base-station-broker.crt:/mosquitto/config/certs/base-station-broker.crt:ro + - ./mosquitto/certs/base-station-broker.key:/mosquitto/config/certs/base-station-broker.key:ro + cpu_shares: 2048 + oom_kill_disable: true From 6a74c5c14ce8b3c0f810f8b1cd7ba178c1e7a498 Mon Sep 17 00:00:00 2001 From: char1ss4 Date: Thu, 12 Mar 2026 13:01:17 -0400 Subject: [PATCH 4/4] fix: add *.pem and *.p12 to mosquitto gitignore --- siren-base/mosquitto/.gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/siren-base/mosquitto/.gitignore b/siren-base/mosquitto/.gitignore index 275ece24..f9ee6285 100644 --- a/siren-base/mosquitto/.gitignore +++ b/siren-base/mosquitto/.gitignore @@ -1,2 +1,4 @@ *.key *.crt +*.pem +*.p12