SSL support for ESP32 #140
Comments
|
You are correct. If you're adventurous, you could try https://github.com/tve/async-mqtt-client |
Is it possible to merge that fork with this repository? I know this is an old issue. Thanks! |
|
Is there any update on this? Can the fork mentioned above be merged? |
|
Is there an update on this? I need client SSL support only for the ESP32. I will try tve's branch, but the "if you're adventurous" comment does not inspire confidence! |
|
I guess the situation is still the same if interpret @bertmelis #239 (comment) correclty |
|
It's trivial to patch this lib (maybe we should?). I believe that's all to it. There is no certificate check though, so MITM is not covered. |
|
Why does async-mqtt-client need a patch for SSL support for ESP32? That should be the responsibility of AsyncTCP or am I wrong here? |
It won't compile because the methods in AsyncTCP and ESPAsyncTCP are not the same. There is also no fingerprint checking available in AsyncTCP. |
|
Thanks. I thought AsyncTCP is just the ESP32 equivalent of ESPAsyncTCP. |
|
It is, but not the TLS part. (there are also some behavioural specifics) |
|
I tried out tve's branch and I cannot even get it to compile! I am probably making an obvious error. If anyone could help I would appreciate it. I am programming the ESP 32 on PlatformIO on Visual Studio. The Arduino framework. I have been using AsyncMQTTClient for a while and it works great. Now I am trying to get SSL going on my client (the ESP32). So I changed to using tve's fork of async-mqtt-client along with his fork of AsyncTCP. I followed his instructions here https://github.com/tve/AsyncTCP/tree/mbed-tls including adding build_flags = -DASYNC_TCP_SSL_ENABLED=true to platformio.ini. I get the compiler errors In file included from .pio/libdeps/esp32dev/AsyncTCP/src/AsyncTCP.cpp:24:0: Another odd thing is that tcp_mbedtls.c is greyed out is VS, even though the #if ASYNC_TCP_SSL_ENABLED shows true. I do not know if that is related but I do not understand it. This must be used, right? I do not need to use certificates but will use pre-shared keys. Looks like I will need to call setPsk with the key, but I need to get it to compile first! Thanks for any help, Kevin |
|
the [-Werror=reorder] error means that the parameters in the constructor are passed in a different order than they were defined in the .h file. This should normally be easy to fix by swapping the corresponding parameters in the constructor. |
|
Thanks luebbe, you are right. Just switching the declarations in ASynchTCP.h like this and the errors went away. Also my "greyed" out problem in tcp_mbedtls.c was caused by defining DASYNC_TCP_SSL_ENABLED both in the code and in a build flag. I removed the definition and the gray went away (yay!). I would like to encourage the authors to add the client PSK encryption into the master. A little more documentation would help, for example, which of these is supported? CipherSuite Key Exchange Cipher Hash TLS_PSK_WITH_RC4_128_SHA PSK RC4_128 SHA I am also wondering: is any of the ESP32 encryption hardware used? mbedtls looks to be pure software so maybe it can be sped up. Once I get it working I will be glad to write up any details I learn. Encrypted MQTT is useful for a lot of Edge computing. Kevin |
|
I'm not not even remotely familiar with TLS. So can't answer these questions. |
|
Thanks, Bert. If I get things up and running I will try to contribute something. Kevin |
|
Any update on this? I really need to get MQTT working over SSL on my ESP32 using https://github.com/esphome/esphome which uses AsyncTCP. |
|
I could never get SSL working with ASynch MQTT Client. It would work for a while, then crash. I finally changed over to the Arduino MQTT package. https://www.arduino.cc/reference/en/libraries/mqtt/ It uses WiFiClientSecure and works reliably with both PSK and certificates. I recommend it. Kevin |
|
I never really had a use case for secure MQTT on a ESP32. Now I have so I'm thinking about a solution here... What about this: |
|
Well, actually after 3.0.0 Core release for the ESP8266 the whole SSL thing with ESPAsyncTCP is broken down. Your solution for ESP32 is good, but I think that the best solution is to modify ESPAsyncTCP to use BearSSL, and to modify AsyncTCP to use ESP32 SSL library (if there is any). Maybe @Adam5Wu can give his suggestion here... |
|
Ah, didn't know. I don't have the time to read myself into TLS so I can't update the async tcp libs. |
|
Bert, let me give an up vote for implementing SSL. IoT devices are an entry point for attacks, so there is need for secure comms over the net with the ESPs. It would be even better if we could get TLS 1.3. Maybe somebody can help with AsyncTCP and the Bear. There is also the Wolf https://www.wolfssl.com/wolfssl-esp32-hardware-acceleration-support/ Thanks, Kevin |
I'm porting my app from ESP8266 to ESP32. When I enable SSL the compiler tells me "tcp_axtls.h: No such file or directory".
Is that due to the fact that me-no-dev/AsyncTCP still doesn't support SSL?
The text was updated successfully, but these errors were encountered: