Add separate SSL channel for mqtt transport

application/src/main/resources/thingsboard.yml

@@ -595,6 +595,10 @@ transport:
     ssl:
       # Enable/disable SSL support
       enabled: "${MQTT_SSL_ENABLED:false}"
+      # MQTT SSL bind address
+      bind_address: "${MQTT_SSL_BIND_ADDRESS:0.0.0.0}"
+      # MQTT SSL bind port
+      bind_port: "${MQTT_SSL_BIND_PORT:8883}"
       # SSL protocol: See http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
       protocol: "${MQTT_SSL_PROTOCOL:TLSv1.2}"
       # Path to the key store that holds the SSL certificate

common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java

@@ -73,7 +73,16 @@ public class MqttSslHandlerProvider {
     @Autowired
     private TransportService transportService;
 
+    private SslHandler sslHandler;
+
     public SslHandler getSslHandler() {
+        if (sslHandler == null) {
+            sslHandler = createSslHandler();
+        }
+        return sslHandler;
+    }
+
+    private SslHandler createSslHandler() {
         try {
             TrustManagerFactory tmFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
             KeyStore trustStore = KeyStore.getInstance(keyStoreType);

common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttTransportServerInitializer.java

@@ -28,16 +28,18 @@ import io.netty.handler.ssl.SslHandler;
 public class MqttTransportServerInitializer extends ChannelInitializer<SocketChannel> {
 
     private final MqttTransportContext context;
+    private final boolean sslEnabled;
 
-    public MqttTransportServerInitializer(MqttTransportContext context) {
+    public MqttTransportServerInitializer(MqttTransportContext context, boolean sslEnabled) {
         this.context = context;
+        this.sslEnabled = sslEnabled;
     }
 
     @Override
     public void initChannel(SocketChannel ch) {
         ChannelPipeline pipeline = ch.pipeline();
         SslHandler sslHandler = null;
-        if (context.getSslHandlerProvider() != null) {
+        if (sslEnabled && context.getSslHandlerProvider() != null) {
             sslHandler = context.getSslHandlerProvider().getSslHandler();
             pipeline.addLast(sslHandler);
         }

common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttTransportService.java

@@ -46,6 +46,14 @@ public class MqttTransportService implements TbTransportService {
     @Value("${transport.mqtt.bind_port}")
     private Integer port;
 
+    @Value("${transport.mqtt.ssl.enabled}")
+    private boolean sslEnabled;
+
+    @Value("${transport.mqtt.ssl.bind_address}")
+    private String sslHost;
+    @Value("${transport.mqtt.ssl.bind_port}")
+    private Integer sslPort;
+
     @Value("${transport.mqtt.netty.leak_detector_level}")
     private String leakDetectorLevel;
     @Value("${transport.mqtt.netty.boss_group_thread_count}")
@@ -59,6 +67,7 @@ public class MqttTransportService implements TbTransportService {
     private MqttTransportContext context;
 
     private Channel serverChannel;
+    private Channel sslServerChannel;
     private EventLoopGroup bossGroup;
     private EventLoopGroup workerGroup;
 
@@ -73,10 +82,18 @@ public class MqttTransportService implements TbTransportService {
         ServerBootstrap b = new ServerBootstrap();
         b.group(bossGroup, workerGroup)
                 .channel(NioServerSocketChannel.class)
-                .childHandler(new MqttTransportServerInitializer(context))
+                .childHandler(new MqttTransportServerInitializer(context, false))
                 .childOption(ChannelOption.SO_KEEPALIVE, keepAlive);
 
         serverChannel = b.bind(host, port).sync().channel();
+        if (sslEnabled) {
+            b = new ServerBootstrap();
+            b.group(bossGroup, workerGroup)
+                    .channel(NioServerSocketChannel.class)
+                    .childHandler(new MqttTransportServerInitializer(context, true))
+                    .childOption(ChannelOption.SO_KEEPALIVE, keepAlive);
+            sslServerChannel = b.bind(sslHost, sslPort).sync().channel();
+        }
         log.info("Mqtt transport started!");
     }
 
@@ -85,6 +102,9 @@ public class MqttTransportService implements TbTransportService {
         log.info("Stopping MQTT transport!");
         try {
             serverChannel.close().sync();
+            if (sslEnabled) {
+                sslServerChannel.close().sync();
+            }
         } finally {
             workerGroup.shutdownGracefully();
             bossGroup.shutdownGracefully();

transport/mqtt/src/main/resources/tb-mqtt-transport.yml

@@ -99,6 +99,10 @@ transport:
     ssl:
       # Enable/disable SSL support
       enabled: "${MQTT_SSL_ENABLED:false}"
+      # MQTT SSL bind address
+      bind_address: "${MQTT_SSL_BIND_ADDRESS:0.0.0.0}"
+      # MQTT SSL bind port
+      bind_port: "${MQTT_SSL_BIND_PORT:8883}"
       # SSL protocol: See http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
       protocol: "${MQTT_SSL_PROTOCOL:TLSv1.2}"
       # Path to the key store that holds the SSL certificate
@@ -298,4 +302,4 @@ management:
     web:
       exposure:
         # Expose metrics endpoint (use value 'prometheus' to enable prometheus metrics).
-        include: '${METRICS_ENDPOINTS_EXPOSE:info}'
+        include: '${METRICS_ENDPOINTS_EXPOSE:info}'