-
Notifications
You must be signed in to change notification settings - Fork 636
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Current status of MQTT SSL #1465
Comments
Some notes after testing:
All tests done with local server, because I could not get cloudmqtt.com to work. It just crashes the board (or fails to connect at the best of times). Tried async/axtls builds, new sync/bearssl, even tried different firmware from mongoose os - nothing works with them :/ Pubsubclient + bearssl combo can also use CA cert instead of fingerprinting, either as hardcoded string or spiffs file. Also, fingerprinting api is different and there is no need to manually do it (client.connect, check fp, mqtt.setClient, mqtt.connect repeat) |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
My experience with core 2.4.2:
I tried testing with core 2.5.0 as well, but unfortunately the binary grows too large to do OTA on a 1MB board - no matter which MQTT library I use. |
Like, what conflicts? I've seen the comment, but I still do not quite understand what conflict is there. In general with BearSSL:
|
MFLN is interesting - if you compile your broker against OpenSSL 1.1 it should work out of the box. It should be quite easy to do a couple of quick As for conflicts: whenever I try to use PubSubClient ( |
Just an update after lots of experimentation:
When using AsyncMqttClient, SSL works but only a few packets. It disconnects and then reconnects in a loop every x packets. |
iit i've already mentioned the problem - you need to manually supply NTP time to the WiFiClient instance. "please start sntp first !" error is coming from us not using LWIP implementation of NTP client, it expects us to call configTime() somewhere (example). With NtpClientLib flow should be
I'll try to update pubsubclient support for this while keeping fingerprinting / support old Core versions. |
Hmm, but this all with axTLS - which doesn't even have |
Ah. Time error would only come with bearssl, when it calls What server config / could mqtt provider do you use for testing? I don't remember any reconnects with local mosquitto + async mqtt |
I see slightly different output in LWIP2 vs LWIP 1.4: Core 2.4.2 / 2.5.0, LWIP 2 with axTLS: :close
:ur 1
:del
:ref 1
:ref 2
State: sending Client Hello (1)
Error: connection lost
:ur 2 Core 2.4.2 / 2.5.0, LWIP 1.4 with axTLS: :close
:ur 1
:del
:ref 1
:ref 2
please start sntp first !
State: sending Client Hello (1)
Error: connection lost
:ur 2 This is just calling Edit: Finally got it working. I can confirm that it's really ESPAsyncTCP that is messing with WifiClientSecure. The following config works for me: #define TELNET_SUPPORT 0
#define WEB_SUPPORT 0
#define TERMINAL_SUPPORT 0
#define OTA_MQTT_SUPPORT 0
#define DEBUG_TELNET_SUPPORT 0
#define ALEXA_SUPPORT 0
#define INFLUXDB_SUPPORT 0
#define THINGSPEAK_SUPPORT 0 |
🤷♂️ Opposite results. BearSSL works, axTLS variant does not. I would not put async as a whole as the reason. We are using more RAM than basic example, and do a lot more inside loop() too. If you are not connected via async library, web or telnet, how would it conflict? Using 2.5.0. BearSSL test that worked:
There's also a small bug with sync client - |
Strange. What makes it complicated is that it depends on a lot of factors, like if the broker supports one of the few ciphers that axTLS supports (e.g. AES128-SHA or AES265-SHA). |
Huh. Tests done on Fedora 29 Looking at debug log, connection fails on Hello step. Packet capture shows that server answers:
Which I don't see here: https://github.com/igrr/axtls-8266/blob/master/README.md But!, It is in the cipher list inside client's Hello:
Most basic mosquitto config. Changing ciphers does nothing, client disconnects right after server Hello is done.
edit: Which is probably something broken with 2.5.0 + axtls client, because older Cores work fine. |
I just tested both core 2.4.2 (axTLS) and 2.5.0 (axTLS and BearSSL), and both work fine for me (BearSSL needs the #define USING_AXTLS // do not use BearSSL
#include "WiFiClientSecureAxTLS.h"
axTLS::WiFiClientSecure _mqtt_client_secure; I pushed the changes to https://github.com/Niek/espurna/tree/mqtt-fixes |
Ok. BTW, I had changed MQTT settings bit in #1701. I'd like to merge that to fix reloading, if you can review for any issues it would be appreciated. Brief look ArduinoMQTT, I think it still applies. It copies some of params, and we can't know which were set. e.g. hostname and will topic are private members with no public getters. Otherwise, I am a big fan of WiFiClient interface. I wish both async clients were a bit more pluggable, so it would not be a must to change async-mqtt-client code :( sidenote: In #1693 I tried a different approach at splitting implementations. I am a bit scared of too much nested ifdefs, but it might be a personal preference |
If this gains traction, especially @Niek 's changes, it could be a positive development to merge. Because the telnet interface is incomplete, and insecure, not being able to operate the web interface over SSL is an issue, especially since MQTT with SSL is probably a definite must at this point. Relying on the security of the physical transport link (wireless) to safeguard MQTT credentials is a dumb idea. I haven't had time to test any of these yet, but I'm keeping a watchful eye on this thread and hope @xoseperez does too. |
Regarding secure WiFiClient in general, there are two annoying problems with old Cores: Verifier struct(s) not freed before client is destroyed (only needed when connecting, not after) |
That seems to be fixed in core 2.5.2 / PIO 2.2.0 - I'm adding a PR now to add support for the last 2 releases. I will also soon post a PR with the MQTT changes. |
Linking this PR in here: #1829 |
The Tasmota way of PEM->DER->base64->config sounds overly complicated to me, in my opinion it would make much more sense to upload the certificate files through the web UI and store it somewhere on the FS (sample code: https://github.com/esp8266/Arduino/blob/0937b076c8ac31d3dbfe7ed4ccc3a2efd7378396/libraries/ESP8266WiFi/examples/BearSSL_CertStore/BearSSL_CertStore.ino#L141-L150). Or maybe even offer the option to auto-fetch the server certificate once and store it for future connects. |
Running latest master branch as of today, I'm not sure anymore if the SSL support still conflicts with the web UI regardless of the platform used (I'm building with 180).
It would be nice to have a current document on SSL on its own page, as well as tweaks to enable HTTP access for the UI but MQTT over SSL, to minimize the performance requirements.
The text was updated successfully, but these errors were encountered: