Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

What type of SSL/TLS support is included in Sonoff-Tasmota? #146

Closed
KonstantinMastak opened this issue Mar 4, 2017 · 31 comments
Closed
Labels
question Type - Asking for Information

Comments

@KonstantinMastak
Copy link

I want to enable TLS support, but I see that I can only set MQTT_FINGERPRINT which is, as far as I understand, a fingerprint of server (public) certificate.

I searched through sources of Tasmota and pubsubclient and I can't find anything like these:

espClient.setCertificate(client_bin_crt, client_bin_crt_len);
espClient.setPrivateKey(client_bin_key, client_bin_key_len);

Does it mean that server cert fingerprint check is the only part which is implemented by now, and I can't use real client-side certs at this time?

@arendst
Copy link
Owner

arendst commented Mar 4, 2017

Correct. If you know of an esp8266 SSL/TLS implementation using only 470MB with your wishes just let me know.

@arendst arendst added the question Type - Asking for Information label Mar 4, 2017
@KonstantinMastak
Copy link
Author

Thank you for your answer! I just came accross this article:

https://hackaday.io/project/12482-garage-door-opener/log/45617-connecting-the-esp8266-with-tls

It seems that full (more or less) TLS implementation can be achieved, if we:

  1. Upload client cert file to ESP flash. Article suggests using ESP8266FS tool for Arduino IDE for this.
  2. Open and load these files into memory using SPIFFS
  3. Use wifiClient.loadCertificate and then wifiClient.loadPrivateKey
  4. Then do what you already do - call wifiClient.verify, etc.

However, it is not clear for me if these steps will result in client->server authentification. Maybe, not.

@SpiraMirabilis
Copy link

if you have a server on permises you can use stunnel and have the server/computer handle SSL and proxy traffic to the ESP8266

@davidelang
Copy link
Collaborator

@KonstantinMastak the example that you point to is also just using fingerprinting rather than full CA validation. Given the small amount of space left on the devices, I don't see how we could possibly afford to include the CA certs needed to validate some random cert we run into. So the best that we could do is to allow certs signed by a specific CA.

My day job is computer security (almost 20 years protecting financial data, including almost 2000 banks and credit unions), and just validating that it's a valid cert isn't enough, you also need to validate that it's a cert you are supposed to accept, and the fingerprint of the cert is a very good way to do that. So it's not clear to me that there is any significant advantage to changing to full validation.

running stunnel or a reverse proxy is a far better approach.

Please re-open this if you do find a way to do full validation in a small space

@khcnz
Copy link

khcnz commented Mar 19, 2017

And you don't want to have to deal with things like cert revocation, or for example REQUIRING external network access to NTP to get the current date to check the cert is in its validity period. Thumbprint is a pretty accepted way to do business...

@KonstantinMastak
Copy link
Author

Thank you for all your answers! This really makes sense. I'll go on with fingerprinting.

@wiktorschmidt
Copy link

Just wanted to share this here: https://github.com/copercini/esp8266-aws_iot

Also a related discussion:
aws/aws-iot-device-sdk-embedded-C#7

@SpiraMirabilis
Copy link

SpiraMirabilis commented Sep 3, 2017 via email

@Sunrise17
Copy link

@KonstantinMastak, Have you ever solved or to formulate fingerprint instead uploading AWS Certificates (cert.pem, private.key, CA.pem) to Tasmota?

@KonstantinMastak
Copy link
Author

KonstantinMastak commented Oct 10, 2017 via email

@Sunrise17
Copy link

@KonstantinMastak, Is it possible to use Tasmota with AWS IoT?

@KonstantinMastak
Copy link
Author

KonstantinMastak commented Oct 12, 2017 via email

@ChaoticEnigma
Copy link

I'm a little confused by the discussion here. The original question was whether it is supported to add a certificate and private key to the firmware for MQTT TLS (presumably for authentication on the server side). And then the subject changed to CA certificate validation?

It seems the answer to the original question is currently no. But, it seems that the ESP8266WiFi library supports this, so I don't see why it couldn't be implemented. A DER private key (2048-bit) and cert should be <3KiB.

Since a private key is not currently included with the firmware, what is used for the SSL connection? Is a key generated in memory at startup?

And yes, implementing "real" CA validation may be impossible, but I think a fingerprint for the server cert is enough for the time being. From a security standpoint, I'm more worried about unauthorized devices connecting to my broker than a man-in-the-middle attack on a client device.

@SpiraMirabilis
Copy link

SpiraMirabilis commented Nov 20, 2017 via email

@SpiraMirabilis
Copy link

SpiraMirabilis commented Nov 20, 2017 via email

@davidelang
Copy link
Collaborator

davidelang commented Nov 20, 2017 via email

@SpiraMirabilis
Copy link

SpiraMirabilis commented Nov 20, 2017 via email

@SpiraMirabilis
Copy link

SpiraMirabilis commented Nov 20, 2017 via email

@ChaoticEnigma
Copy link

ChaoticEnigma commented Nov 20, 2017

Ok, I get all that, but I don't think this thread was about (and I'm not interested in) having the ESP validate the server's cert. Fingerprinting is enough.

I am interested in the ESP sending a certificate (signed by a CA key) to the MQTT server, so the server can authenticate based on the signed certificate alone. Tasmota-Sonoff does not currently support this, so that is what I am looking into.

For example, some other MQTT devices do this with Mosquitto with options require_certificate true and use_identity_as_username true. This avoids the need for client paswords / unique usernames, and you can just generate client keys and signed certs for the ESP.

@SpiraMirabilis
Copy link

SpiraMirabilis commented Nov 20, 2017 via email

@SpiraMirabilis
Copy link

SpiraMirabilis commented Nov 20, 2017 via email

@KonstantinMastak
Copy link
Author

KonstantinMastak commented Nov 20, 2017 via email

@SpiraMirabilis
Copy link

SpiraMirabilis commented Nov 20, 2017 via email

@KonstantinMastak
Copy link
Author

KonstantinMastak commented Nov 20, 2017 via email

@SpiraMirabilis
Copy link

SpiraMirabilis commented Nov 20, 2017 via email

@ChaoticEnigma
Copy link

@SpiraMirabilis That's quite the comprehensive guide there. I've actually already done pretty much exactly what you describe. I added setCertificate and setPrivateKey calls right before the connect/verify on WifiClientSecure in MqttReconnect in sonoff.ino. Unfortunately, it doesn't seem the client is serving the key to the server (or the server doesn't like it).

I also noticed the ESP8266Wifi library provided by platformIO is much older than the upstream version at esp8266/Arduino, which purportedly supports TLSv1.2 now. Maybe worth the time to pull a copy of that into Sonoff-Tasmota? I may give that a shot if I don't have luck with the current version.

I'm currently working on some Wifi signal issues, I will get back to this and determine if the WifiClientSecure is actually sending the certificate.

@thunberg
Copy link

I'm new to this topic, but coming at it from the position of wanting to be able to use a Sonoff-Tasmota to connect to AWS IoT, which requires certificate authentication.

It appears what's needed is esp8266/Arduino 2.4, which has axTLS 2.x which has TLS 1.2:

https://github.com/esp8266/Arduino/releases

Further it seems there are already examples of this implemented:

https://github.com/copercini/esp8266-aws_iot

@thunberg
Copy link

Has there been any progress on this? Would love a clean way to use Sonoff devices on AWS.

@hackbar
Copy link
Contributor

hackbar commented Jun 1, 2018

I'd also like to use Sonoff to with Google IoT Core, which has the same TLS and cert requirements as AWS.

@vaijab
Copy link

vaijab commented Aug 12, 2018

I'd also like to use Sonoff to with Google IoT Core, which has the same TLS and cert requirements as AWS.

I am looking for a solution to this. How are people connecting their sonoff devices to Google IoT Core at the moment?

@ghost
Copy link

ghost commented Sep 26, 2018

Are there any instructions built for compiling in the SSL support?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Type - Asking for Information
Projects
None yet
Development

No branches or pull requests