Developer blog
25.04.2023

How to go from MQTT to MQTTS with a TLS connector

Here’s how to use MQTT to save data and battery for IoT devices, while staying as secure with MQTTS thanks to Onomondo’s TLS connector.
jason-godfrey-avatar
Jason Godfrey

Customer Success Manager at Onomondo

What’s the difference between MQTT and MQTTS?

MQTT is a widely used network protocol in IoT for sending messages between devices and a server, and MQTTS is the secured version of this protocol.

Unfortunately, the added security from MQTT to MQTTS requires more traffic and drains device batteries quicker.

By using an Onomondo TLS Connector, we can have the device use MQTT which Onomondo transforms into MQTTS in the Core Network, using less traffic and reducing power consumption!

For this example, I use the mqtt module for Node.js, but you should be able to replace it with any other implementation for your language. I also use test.mosquitto.org as the test MQTT server.

An example with MQTTS

This is a basic example on how to use MQTTS to connect: 

const fs = require('fs')
const mqtt = require('mqtt')
 
const ca = fs.readFileSync('./mosquitto.org.crt').toString()
const client = mqtt.connect('mqtts://test.mosquitto.org:8883', { ca })
 
client.on('message', (topic, payload) =>
   console.log(`[messaged received] topic=${topic} payload=${payload.toString()}`)
)
 
client.on('connect', () => {
   console.log('[connected]')
   client.subscribe('helpomondo/testing', () =>
      client.publish('helpomondo/testing', 'Hello from device')
   )
})

Note that you need to have the mosquitto.org.crt on your device.

I used the Onomondo’s Traffic Monitor to capture the packets going to/from the device, but you can also use Wireshark. When I ran this example, this little example used 3.6 KB. Most of it is used establishing the secure connection.

Let’s see how we can do it more efficiently with a TLS connector.

Setting up the TLS connector

Now it’s time to create a new connector in the Onomondo App. For this example, we need to set the host as test.mosquitto.org, port to 8883, and put the contents of mosquitto.org.crt into the connector setup. We also add two passthrough rules to pass all UDP and ICMP packets directly to the internet.

With this setup, all TCP traffic going out from your device (no matter which ip/host it’s supposed to go to) will go to test.mosquitto.org:8883 and Onomondo creates a TLS connection to that endpoint.

Your setup in Onomondo should look similar to this:

mqtt to mqtts setup in onomondo

Now find your SIM on the SIMs page in the Onomondo App, and edit it by set the connector to the one we’ve just created.

The result should look something like this:

SIM connector settings in Onomondo

Example with MQTT

Let’s go back to the code example and set it up to only use MQTT and not MQTTS.

const fs = require('fs')
const mqtt = require('mqtt')
 
const client = mqtt.connect('mqtt://test.mosquitto.org:8883')
// Notice how we went from `mqtts://` to `mqtt://` and removed the `ca`
 
client.on('message', (topic, payload) =>
   console.log(`[messaged received] topic=${topic} payload=${payload.toString()}`)
)
 
client.on('connect', () => {
   console.log('[connected]')
   client.subscribe('helpomondo/testing', () =>
      client.publish('helpomondo/testing', 'Hello from device')
   )
})

So it’s very similar to before, except a few key things. The protocol is now mqtt and not mqtts. We also removed the ca certificate file.

I used the Traffic Monitor to capture packets going to/from device again.

This example now uses 1.1 KB instead of the original 3.6 KB, a saving of over 69%.

Benefits of using a TLS connector

Saves on data cost

  • Less data transferred.
  • In this example we went from ~3.6 KB to ~1.1 KB.

Saves on battery usage

No encryption on the device

  • Saves on battery usage by not having to handle encryption.
  • No or less keys or certificates on the device that might need to be updated.
  • Communication to and from devices to the network is still encrypted using cellular standards.

Is this still secure?

A little-known fact about telco is that the traffic is actually secure from your device until it hits your provider.

A SIM card mostly contains keys which are one end encryption, and the matching keys are on the providers side.

That means that traffic is always encrypted until it gets to your provider (i.e. Onomondo), but then it goes on the Internet.

Since most providers just pass traffic on to the Internet, you typically need to encrypt traffic on devices, an expensive process.

By using a TLS connector, Onomondo makes sure that there is an encrypted connection between Onomondo and your endpoint.

So, to sum up, cellular traffic is already encrypted between device and provider. Then by adding a TLS connector, the traffic is encrypted between Onomondo and your endpoint.

One extra little bonus

Remember how I mentioned that all TCP traffic going out of the device went to test.mosquitto.org:8883?

This actually means we no longer have to look up test.mosquitto.org on the device. So we can remove that hostname from our example and save that lookup for even more optimization!

...
 
const client = mqtt.connect('mqtt://1.2.3.4')
// Notice how we removed the hostname. There's only an ip address now.
 
...

How to debug with the MQTT Explorer

To help testing this, I found it very helpful to use MQTT Explorer. Then you can subscribe to helpomondo/testing and see if the device behaves as expected.

Happy testing!

Build your
own network

Enhance signal quality and network control with non-steered SIM cards. Connect all your devices securely to a global network with Onomondo IoT SIMs.

Start testing Onomondo for free

Ready to experience next-generation IoT connectivity? Create an account, explore the platform, and start testing Onomondo’s IoT SIM cards for free.

Related articles

Read more about the topic

LTE-M vs 2G
Articles
LTE-M vs 2G: A critical comparison for IoT deployments
Cellular networks IoT Strategy
Explore the critical LTE-M vs 2G transition for IoT: better security, power efficiency, and future-proof connectivity as 2G networks sunset globally.
A new chapter at Onomondo
Articles
Onomondo reshapes telecom and now accelerates growth with strengthened leadership
Press Release News
Onomondo is entering an exciting new phase with a leadership transition that strengthens our ability to support customers and scale our platform.
Onomondo Syniverse collaboration
Articles
Onomondo and Syniverse break legacy barriers to simplify IoT connectivity
Press Release News
Onomondo and Syniverse are joining forces to enhance global IoT connectivity with robust, secure, and efficient solutions for global IoT data transmission.