Using TLS-PSK with MQTT

Good Morning,

I need to communicate with a 3rd party MQTT Broker using TLS-PSK, however I'm struggling to figure out if and how to achieve with Node-Red.

If I were using mosquito sub, I would use the command line options --psk hex-key --psk-identity identity-string.

In the TLS config panel of MQTT, I don't see any options for PSK.

Note that I have no issue connecting to any other MQTT brokers via port 1883 or 8883, using username & passwords.

Thanks in advance to your help. Any congratulations to the community for a great software tool - I've enjoyed using it for the last 5 years!



Interesting. I'm not sure that the mqtt nodes allow that setting right now. @Steve-Mcl - do you know about that?

Would maybe be a good option - alternative to use cerificates?? Is it as secure?

The only mention of PSK in mqtt.js is here: Anthentication PSK (pre shared key) with Mosquitto · Issue #283 · mqttjs/MQTT.js · GitHub - not much to go on.

However, I do know mosquitto supports psk and nodejs supports psk

Will need some time to setup a broker & investigate try using psk with mqtt.js on tls.

I would suggest the OP raises this in the #development:feature-requests

1 Like

I don't believe that PSK is as secure as certificate base auth. However, depending on the use-case, it might not be significant. The problem with PSK is that, if the key is compromised, you have to reset it for everyone. With certificate based mutual-authentication, you might not need to do that and even if you do, there are automated mechanisms that mean that the client might not even notice.

More importantly though as the question is about an external service, I doubt that the OP could get the authentication method changed.

Apologies for pinging you direct on this one Steve but I thought you might know or would be able to investigate :slight_smile: Probably would be quite nice to have PSK as an option.

True however (for example) in mosquitto, you can specify multiple identity:psk in the psk_file

Hi All. Thanks for your replies.

As @TotallyInformation guessed, I cannot insist that the authentication method is changed.

I agree with @krambriw and @TotallyInformation that certificate based authentication is safer. however, in this use case, there are a limited number of gateways communicating with a broker to co-ordinate a green energy trial. The disadvantages @TotallyInformation discussed would have a limited impact.

I would be grateful for any quick fixes - even if I need to write some custom js code. My backup plan is to call mosquitto_sub CLI, passing in payload and extracting payloads. That would obviously be a bit of a PITA.

And yes, happy to raise a feature request.

Thanks again all!

Anybody knows what are the necessarry parameters for a simple mosquitto.conf setup in order to work with TSL-PSK without certificates?