MQTT TLS Verify Fingerprint Fail with Core 2.5.0

[majherek]

Describe the bug
Using the same configuration in my_user_config.h Tasmota 6.4.1.9 on Core 2.4.2 can verify MQTT TLS Cert and work well. The same tasmota compiled with Core 2.5.0 (https://github.com/Jason2866/platform-espressif8266.git#Tasmota) can't verify cert.

It is weird, because in core 2.5.0 much more RAM is available compared to 2.4.2 (taken from Tasmota WIKI) - so I think IT IS NOT RAM ISSUE!!!

Also, make sure these boxes are checked [x] before submitting your issue - Thank you!

• Searched the problem in issues and in the wiki
• Hardware used : sonoff basic with 4MB flash
• If a pre-compiled release or development binary was used, which one? :
• Development/Compiler/Upload tools used : Visual Studio Code with PlatformIO
• You have tried latest release or development binaries? : 6.4.1.9
• Provide the output of commandstatus 0 :
  Working STATUS 0 (core 2.4.2):

20:50:32 CMD: STATUS 0
20:50:32 MQT: stat/sonoff/STATUS = {"Status":{"Module":1,"FriendlyName":["Sonoff 12"],"Topic":"sonoff","ButtonTopic":"0","Power":0,"PowerOnState":3,"LedState":1,"SaveData":1,"SaveState":1,"SwitchTopic":"0","SwitchMode":[0,0,0,0,0,0,0,0],"ButtonRetain":0,"SwitchRetain":0,"SensorRetain":0,"PowerRetain":0}}
20:50:32 MQT: stat/sonoff/STATUS1 = {"StatusPRM":{"Baudrate":115200,"GroupTopic":"sonoffs","OtaUrl":"http://sonoff-ota.majchrowski.waw.pl:8888/api/arduino/sonoff12.ino.bin","RestartReason":"Software/System restart","Uptime":"0T00:18:31","StartupUTC":"2019-01-16T19:32:01","Sleep":50,"BootCount":3,"SaveCount":5,"SaveAddress":"3F7000"}}
20:50:32 MQT: stat/sonoff/STATUS2 = {"StatusFWR":{"Version":"6.4.1.9(sonoff)","BuildDateTime":"2019-01-16T20:29:19","Boot":31,"Core":"2_4_2","SDK":"2.2.1(cfd48f3)"}}
20:50:32 MQT: stat/sonoff/STATUS3 = {"StatusLOG":{"SerialLog":2,"WebLog":0,"SysLog":2,"LogHost":"192.168.199.251","LogPort":514,"SSId":["atomix","MAJCOMNET HTC"],"TelePeriod":60,"SetOption":["00008009","558180C0","00000000"]}}
20:50:32 MQT: stat/sonoff/STATUS4 = {"StatusMEM":{"ProgramSize":413,"Free":2656,"Heap":16,"ProgramFlashSize":4096,"FlashSize":4096,"FlashChipId":"1640EF","FlashMode":3,"Features":["00000809","06082744","140003A0","000004C6","000000C0"]}}
20:50:32 MQT: stat/sonoff/STATUS5 = {"StatusNET":{"Hostname":"sonoff-0476","IPAddress":"192.168.20.12","Gateway":"192.168.20.254","Subnetmask":"255.255.255.0","DNSServer":"192.168.199.251","Mac":"EC:FA:BC:14:81:DC","Webserver":0,"WifiConfig":4}}
20:50:32 MQT: stat/sonoff/STATUS6 = {"StatusMQT":{"MqttHost":"mqtt.majchrowski.waw.pl","MqttPort":8883,"MqttClientMask":"sonoff12","MqttClient":"sonoff12","MqttUser":"sonoff","MqttType":1,"MAX_PACKET_SIZE":1000,"KEEPALIVE":15}}
20:50:32 MQT: stat/sonoff/STATUS7 = {"StatusTIM":{"UTC":"Wed Jan 16 19:50:32 2019","Local":"Wed Jan 16 20:50:32 2019","StartDST":"Sun Mar 31 02:00:00 2019","EndDST":"Sun Oct 27 03:00:00 2019","Timezone":99}}
20:50:32 MQT: stat/sonoff/STATUS10 = {"StatusSNS":{"Time":"2019-01-16T20:50:32"}}
20:50:32 MQT: stat/sonoff/STATUS11 = {"StatusSTS":{"Time":"2019-01-16T20:50:32","Uptime":"0T00:18:31","Vcc":3.363,"SleepMode":"Dynamic","Sleep":50,"LoadAvg":19,"POWER":"OFF","Wifi":{"AP":1,"SSId":"atomix","BSSId":"06:8D:DB:DB:97:47","Channel":11,"RSSI":72}}}

Not working Status 0 (core 2.5.0)

21:10:51 CMD: STATUS 0
21:10:51 RSL: stat/sonoff/STATUS = {"Status":{"Module":1,"FriendlyName":["Sonoff 12"],"Topic":"sonoff","ButtonTopic":"0","Power":0,"PowerOnState":3,"LedState":1,"SaveData":1,"SaveState":1,"SwitchTopic":"0","SwitchMode":[0,0,0,0,0,0,0,0],"ButtonRetain":0,"SwitchRetain":0,"SensorRetain":0,"PowerRetain":0}}
21:10:51 RSL: stat/sonoff/STATUS1 = {"StatusPRM":{"Baudrate":115200,"GroupTopic":"sonoffs","OtaUrl":"http://sonoff-ota.majchrowski.waw.pl:8888/api/arduino/sonoff12.ino.bin","RestartReason":"Exception","Uptime":"0T00:00:13","StartupUTC":"2019-01-16T20:10:38","Sleep":50,"BootCount":7,"SaveCount":9,"SaveAddress":"3FB000"}}
21:10:51 RSL: stat/sonoff/STATUS2 = {"StatusFWR":{"Version":"6.4.1.9(sonoff)","BuildDateTime":"2019-01-16T21:06:53","Boot":31,"Core":"STAGE","SDK":"3.0.0-dev(c0f7b44)"}}
21:10:51 RSL: stat/sonoff/STATUS3 = {"StatusLOG":{"SerialLog":2,"WebLog":0,"SysLog":2,"LogHost":"192.168.199.251","LogPort":514,"SSId":["atomix","MAJCOMNET HTC"],"TelePeriod":60,"SetOption":["00008009","558180C0","00000000"]}}
21:10:51 RSL: stat/sonoff/STATUS4 = {"StatusMEM":{"ProgramSize":466,"Free":2604,"Heap":27,"ProgramFlashSize":4096,"FlashSize":4096,"FlashChipId":"1640EF","FlashMode":3,"Features":["00000809","06082744","040003A0","000004C6","000000C0"]}}
21:10:51 RSL: stat/sonoff/STATUS5 = {"StatusNET":{"Hostname":"sonoff-0476","IPAddress":"192.168.20.12","Gateway":"192.168.20.254","Subnetmask":"255.255.255.0","DNSServer":"192.168.199.251","Mac":"EC:FA:BC:14:81:DC","Webserver":0,"WifiConfig":4}}
21:10:51 RSL: stat/sonoff/STATUS6 = {"StatusMQT":{"MqttHost":"mqtt.majchrowski.waw.pl","MqttPort":8883,"MqttClientMask":"sonoff12","MqttClient":"sonoff12","MqttUser":"sonoff","MqttType":1,"MAX_PACKET_SIZE":1000,"KEEPALIVE":15}}
21:10:51 RSL: stat/sonoff/STATUS7 = {"StatusTIM":{"UTC":"Wed Jan 16 20:10:51 2019","Local":"Wed Jan 16 21:10:51 2019","StartDST":"Sun Mar 31 02:00:00 2019","EndDST":"Sun Oct 27 03:00:00 2019","Timezone":99}}
21:10:51 RSL: stat/sonoff/STATUS10 = {"StatusSNS":{"Time":"2019-01-16T21:10:51"}}
21:10:51 RSL: stat/sonoff/STATUS11 = {"StatusSTS":{"Time":"2019-01-16T21:10:51","Uptime":"0T00:00:13","Vcc":3.360,"SleepMode":"Dynamic","Sleep":50,"LoadAvg":19,"POWER":"OFF","Wifi":{"AP":1,"SSId":"atomix","BSSId":"06:8D:DB:DB:97:47","Channel":11,"RSSI":66}}}
21:10:55 MQT: Attempting connection...

To Reproduce
Compilte Tasmota with MQTT TLS with commented out almost everything in config (I use only BMP and DS18b20). I can provide my_user_config.h.
Core 2.4.2:

0:00:00 Project sonoff Sonoff 12 Version 6.4.1.9(sonoff)-2_4_2
00:00:00 WIF: Connecting to AP1 atomix in mode 11N as sonoff-0476...
00:00:04 WIF: Connected
20:32:07 MQT: Attempting connection...
20:32:07 MQT: Verify TLS fingerprint...
20:32:07 MQT: Verified using FingerprintCA
20:32:07 MQT: Connected
20:32:07 MQT: tele/sonoff/LWT = Online (retained)
20:32:08 MQT: cmnd/sonoff/POWER =
20:32:08 MQT: tele/sonoff/INFO1 = {"Module":"Sonoff Basic","Version":"6.4.1.9(sonoff)","FallbackTopic":"cmnd/sonoff12_fb/","GroupTopic":"sonoffs"}
20:32:08 MQT: tele/sonoff/INFO3 = {"RestartReason":"Software/System restart"}
20:32:08 MQT: stat/sonoff/RESULT = {"POWER":"OFF"}
20:32:08 MQT: stat/sonoff/POWER = OFF
20:32:16 MQT: tele/sonoff/STATE = {"Time":"2019-01-16T20:32:16","Uptime":"0T00:00:15","Vcc":3.538,"SleepMode":"Dynamic","Sleep":50,"LoadAvg":19,"POWER":"OFF","Wifi":{"AP":1,"SSId":"atomix","BSSId":"06:8D:DB:DB:97:47","Channel":11,"RSSI":92}}
20:32:24 CMD: mqttfingerprint1
20:32:24 MQT: stat/sonoff/RESULT = {"MqttFingerprint1":"69 93 F5 A6 EE A5 AD DA 2D DC 3C E7 DE 72 AB 3B DC CA 81 4D"}

Core 2.5.0

00:00:00 Project sonoff Sonoff 12 Version 6.4.1.9(sonoff)-STAGE
00:00:00 WIF: Connecting to AP1 atomix in mode 11N as sonoff-0476...
00:00:04 WIF: Connected
21:09:31 MQT: Attempting connection...
21:09:31 MQT: Verify TLS fingerprint...
21:09:31 MQT: Failed
21:09:42 MQT: Attempting connection...
21:09:42 MQT: Verify TLS fingerprint...
21:09:42 MQT: Failed
21:09:53 MQT: Attempting connection...
21:09:53 MQT: Verify TLS fingerprint...
21:09:54 MQT: Failed
21:10:04 MQT: Attempting connection...
21:10:04 MQT: Verify TLS fingerprint...
21:10:05 MQT: Failed
21:10:16 MQT: Attempting connection...
21:10:16 MQT: Verify TLS fingerprint...

PlatformIO.ini file:

[core_2_4_2]
; *** Esp8266 core for Arduino version 2.4.2
platform                  = [email protected]
build_flags               = ${esp82xx_defaults.build_flags}
                            -Wl,-Teagle.flash.4m1m.ld
                            -lstdc++ -lsupc++
; lwIP 1.4 (Default)
;                            -DPIO_FRAMEWORK_ARDUINO_LWIP_HIGHER_BANDWIDTH
; lwIP 2 - Low Memory
                            -DPIO_FRAMEWORK_ARDUINO_LWIP2_LOW_MEMORY
; lwIP 2 - Higher Bandwidth (Tasmota default)
;                            -DPIO_FRAMEWORK_ARDUINO_LWIP2_HIGHER_BANDWIDTH
                            -DVTABLES_IN_FLASH

[core_2_5_0]
; *** Esp8266 core for Arduino version Core 2.5.0 beta tested for Tasmota
platform                  = https://github.com/Jason2866/platform-espressif8266.git#Tasmota
build_flags               = ${esp82xx_defaults.build_flags}
                            -Wl,-Teagle.flash.4m1m.ld
; lwIP 1.4 (Default)
;                            -DPIO_FRAMEWORK_ARDUINO_LWIP_HIGHER_BANDWIDTH
; lwIP 2 - Low Memory
;                            -DPIO_FRAMEWORK_ARDUINO_LWIP2_LOW_MEMORY
; lwIP 2 - Higher Bandwidth
;                            -DPIO_FRAMEWORK_ARDUINO_LWIP2_HIGHER_BANDWIDTH
; lwIP 2 - Higher Bandwidth Low Memory no Features
                            -DPIO_FRAMEWORK_ARDUINO_LWIP2_LOW_MEMORY_LOW_FLASH
; lwIP 2 - Higher Bandwidth no Features (Tasmota default)
                            ;-DPIO_FRAMEWORK_ARDUINO_LWIP2_HIGHER_BANDWIDTH_LOW_FLASH
                            -DVTABLES_IN_FLASH
                            -fno-exceptions
                            -lstdc++-nox

[core_active]
; Select one core set for platform and build_flags
;platform                  = ${core_2_3_0.platform}
;build_flags               = ${core_2_3_0.build_flags}
;platform                  = ${core_2_4_2.platform}
;build_flags               = ${core_2_4_2.build_flags}
platform                  = ${core_2_5_0.platform}
build_flags               = ${core_2_5_0.build_flags}
;platform                  = ${core_stage.platform}
;build_flags               = ${core_stage.build_flags}

[common]
framework                 = arduino
board                     = esp01_1m
board_build.flash_mode    = dout

platform                  = ${core_active.platform}
build_flags               = ${core_active.build_flags}
;                            -DUSE_CLASSIC
;                            -DBE_MINIMAL
;                            -DUSE_SENSORS
;                            -DUSE_BASIC
;                            -DUSE_KNX_NO_EMULATION
;                            -DUSE_DISPLAYS
;                            -DUSE_CONFIG_OVERRIDE

I found other closed issue with same problem. But why it is not working on Core 2.5.0?

[ascillato2]

Are you using latest version from today of the core 2.5.0?

The core 2.5.0 is in beta. It is not released yet and it is in constant updating.

[ascillato2]

Please, try the latest core. Remember that platform.io don't sync with the files from the repository. So, you have to manually copy and paste the files. (this is due to the core is still in development) You are testing the edge versions of everything, so it can fail.

[Jason2866]

For latest stage core (many issues fixed since beta2) change
In beta2 4M size is wrong in template and doesnt work correct at all!

;platform                  = ${core_2_5_0.platform}
;build_flags               = ${core_2_5_0.build_flags}
platform                  = ${core_stage.platform}
build_flags               = ${core_stage.build_flags}

[andrethomas]

I think PR #4703 may bear reference

[majherek]

@ascillato2: I have core 2.5.0 from few days ago. Visual Studio Code download if using git. I will try today to remove core and download it again. Should I take it from: https://github.com/Jason2866/platform-espressif8266.git#Tasmota?

@Jason2866: I will change to stage and also remove it before, to download new one. Also, should I take it from: https://github.com/platformio/platform-espressif8266.git#feature/stage?
Should I linked it using 1M? -Wl,-Teagle.flash.1m.ld?

[ascillato2]

You should take the core directly from the source in arduino repository (https://github.com/esp8266/Arduino). There, is the latest version and also the install instructions. The other 2 repositories you say are old copies and may not work as they don't have latest fixes.

[ascillato2]

Should I linked it using 1M? -Wl,-Teagle.flash.1m.ld?

That only depends on the device you are using. The default works fine.

[majherek]

I follow the instrucion Using Arduino Framework with Staging version. Updated the Core to newest version.

And it still not working.

00:00:00 Project sonoff Sonoff 12 Version 6.4.1.9(sonoff)-STAGE
00:00:00 WIF: Connecting to AP1 atomix in mode 11N as sonoff-0476...
00:00:04 WIF: Connected
22:10:03 MQT: Attempting connection...
22:10:03 MQT: Verify TLS fingerprint...
22:10:03 MQT: Failed
22:10:06 CMD: STATUS 0
22:10:06 RSL: stat/sonoff/STATUS = {"Status":{"Module":1,"FriendlyName":["Sonoff 12"],"Topic":"sonoff","ButtonTopic":"0","Power":0,"PowerOnState":3,"LedState":1,"SaveData":1,"SaveState":1,"SwitchTopic":"0","SwitchMode":[0,0,0,0,0,0,0,0],"ButtonRetain":0,"SwitchRetain":0,"SensorRetain":0,"PowerRetain":0}}
22:10:06 RSL: stat/sonoff/STATUS1 = {"StatusPRM":{"Baudrate":115200,"GroupTopic":"sonoffs","OtaUrl":"http://sonoff-ota.majchrowski.waw.pl:8888/api/arduino/sonoff12.ino.bin","RestartReason":"Software/System restart","Uptime":"0T00:00:09","StartupUTC":"2019-01-17T21:09:57","Sleep":50,"BootCount":14,"SaveCount":16,"SaveAddress":"3F4000"}}
22:10:06 RSL: stat/sonoff/STATUS2 = {"StatusFWR":{"Version":"6.4.1.9(sonoff)","BuildDateTime":"2019-01-17T22:08:10","Boot":31,"Core":"STAGE","SDK":"3.0.0-dev(c0f7b44)"}}
22:10:06 RSL: stat/sonoff/STATUS3 = {"StatusLOG":{"SerialLog":2,"WebLog":0,"SysLog":2,"LogHost":"192.168.199.251","LogPort":514,"SSId":["atomix","MAJCOMNET HTC"],"TelePeriod":60,"SetOption":["00008009","558180C0","00000000"]}}
22:10:06 RSL: stat/sonoff/STATUS4 = {"StatusMEM":{"ProgramSize":466,"Free":2604,"Heap":27,"ProgramFlashSize":4096,"FlashSize":4096,"FlashChipId":"1640EF","FlashMode":3,"Features":["00000809","06082744","040003A0","000004C6","000000C0"]}}
22:10:06 RSL: stat/sonoff/STATUS5 = {"StatusNET":{"Hostname":"sonoff-0476","IPAddress":"192.168.20.12","Gateway":"192.168.20.254","Subnetmask":"255.255.255.0","DNSServer":"192.168.199.251","Mac":"EC:FA:BC:14:81:DC","Webserver":0,"WifiConfig":4}}
22:10:06 RSL: stat/sonoff/STATUS6 = {"StatusMQT":{"MqttHost":"mqtt.majchrowski.waw.pl","MqttPort":8883,"MqttClientMask":"sonoff12","MqttClient":"sonoff12","MqttUser":"sonoff","MqttType":1,"MAX_PACKET_SIZE":1000,"KEEPALIVE":15}}
22:10:06 RSL: stat/sonoff/STATUS7 = {"StatusTIM":{"UTC":"Thu Jan 17 21:10:06 2019","Local":"Thu Jan 17 22:10:06 2019","StartDST":"Sun Mar 31 02:00:00 2019","EndDST":"Sun Oct 27 03:00:00 2019","Timezone":99}}
22:10:06 RSL: stat/sonoff/STATUS10 = {"StatusSNS":{"Time":"2019-01-17T22:10:06"}}
22:10:06 RSL: stat/sonoff/STATUS11 = {"StatusSTS":{"Time":"2019-01-17T22:10:06","Uptime":"0T00:00:09","Vcc":3.362,"SleepMode":"Dynamic","Sleep":50,"LoadAvg":19,"POWER":"OFF","Wifi":{"AP":1,"SSId":"atomix","BSSId":"06:8D:DB:DB:97:47","Channel":11,"RSSI":94}}}



[core_stage]
; *** Esp8266 core for Arduino version latest beta
platform                  = https://github.com/platformio/platform-espressif8266.git#feature/stage
build_flags               = ${esp82xx_defaults.build_flags}
                            -Wl,-Teagle.flash.4m1m.ld
; lwIP 1.4 (Default)
;                            -DPIO_FRAMEWORK_ARDUINO_LWIP_HIGHER_BANDWIDTH
; lwIP 2 - Low Memory
;                            -DPIO_FRAMEWORK_ARDUINO_LWIP2_LOW_MEMORY
; lwIP 2 - Higher Bandwidth
;                            -DPIO_FRAMEWORK_ARDUINO_LWIP2_HIGHER_BANDWIDTH
; lwIP 2 - Higher Bandwitdh Low Memory no Features
                            -DPIO_FRAMEWORK_ARDUINO_LWIP2_LOW_MEMORY_LOW_FLASH
; lwIP 2 - Higher Bandwitdh no Features
;                            -DPIO_FRAMEWORK_ARDUINO_LWIP2_HIGHER_BANDWIDTH_LOW_FLASH
; VTABLES in Flash (default)
                            -DVTABLES_IN_FLASH
; VTABLES in Heap
;                            -DVTABLES_IN_DRAM
; VTABLES in IRAM
;                            -DVTABLES_IN_IRAM
; enable one option set -> No exception recommended
; No exception code in firmware
                            -fno-exceptions
                            -lstdc++
; Exception code in firmware /needs much space! 90k
;                           -fexceptions
;                           -lstdc++-exc

[core_active]
; Select one core set for platform and build_flags
;platform                  = ${core_2_3_0.platform}
;build_flags               = ${core_2_3_0.build_flags}
;platform                  = ${core_2_4_2.platform}
;build_flags               = ${core_2_4_2.build_flags}
;platform                  = ${core_2_5_0.platform}
;build_flags               = ${core_2_5_0.build_flags}
platform                  = ${core_stage.platform}
build_flags               = ${core_stage.build_flags}

[ascillato]

Ok, thanks for testing and reporting 👍

[Jason2866]

Could this today merged PR maybe fix it?
#4967

[majherek]

Could this today merged PR maybe fix it?
#4967

I will check it today.

[majherek]

This PR #4967 use MDNS_HOSTNAME.
And there is no #define MDNS_HOSTNAME in source code.
This only change EspClient.verify (fingerprintX, HOSTNAME).

majherek@SOKAR:~/win/Documents/Arduino/Sonoff-Tasmota/sonoff$ grep MDNS_HOST * -r
xdrv_02_mqtt.ino:    #ifdef MDNS_HOSTNAME
xdrv_02_mqtt.ino:      if (!strcmp(MDNS.hostname(i).c_str(), MDNS_HOSTNAME)) {
xdrv_02_mqtt.ino:    #endif  // MDNS_HOSTNAME
xdrv_02_mqtt.ino:#ifdef MDNS_HOSTNAME
xdrv_02_mqtt.ino:    else if (EspClient.verify(fingerprint1, MDNS_HOSTNAME)) {
xdrv_02_mqtt.ino:    else if (EspClient.verify(fingerprint2, MDNS_HOSTNAME)) {
xdrv_02_mqtt.ino:#endif  // MDNS_HOSTNAME

If I don't define MDNS_HOSTNAME it will check fingerprintX with Settings.mqtt_host, otherwise with MDNS_HOSTNAME . That's all.

And I want to use of USE_MQTT_TLS_CA_CERT.

In Core 2.5.0 TLS verification doesn't work either with USE_MQTT_TLS_CA_CERT, nor with USE_MQTT_TLS only.

[Jason2866]

@majherek Open a issue in https://github.com/esp8266/Arduino with a example sketch.
Since this is not under control from Tasmota nothing can be done from Tasmota side.
THX!

[andrethomas]

@fmeies Can you please confirm if this is core issue or use case issue since you made the original PR? Thanks

[fmeies]

@andrethomas I think we can rule out #4703. With this PR an option for verifying against a root certificate has been introduced as an alternative to checking fingerprints but according to the comments and the log output this new option (USE_MQTT_TLS_CA_CERT) is not used in this case.

[majherek]

@fmeies I use USE_MQTT_TLS_CA_CERT in this case. But this problem exists both using USE_MQTT_TLS_CA_CERT and without using USE_MQTT_TLS_CA_CERT (using mqttfingerprint1 and mqttfingerprint2). And it exists on Core 2.5.0 (with Core 2.4.2 everything is OK).

20:32:07 MQT: Verify TLS fingerprint...
20:32:07 MQT: Verified using FingerprintCA
20:32:07 MQT: Connected

I will open issue on https://github.com/esp8266/Arduino

[Jason2866]

Is this related?

esp8266/Arduino#5640

[majherek]

I don't think so...

[majherek]

I open an issue #5680

[sislakd]

I was facing this issue right after Christmas when I've updated my 30+ devices to firmware based on Tasmota v6.4.1 with Arduino Core 2.5.0 beta 2. After few hour troubleshooting and deep dive into Arduino sources, I've found that the root cause is change of default TLS implementation in Arduino Core from legacy AxTLS to new BearTLS. Initially, I've changed Tasmota to work with new BearTLS, however this was not good as BearTLS implementation requires much more memory causing issues with OTA upgrades which I need. Thus, finally I've updated Tasmota to use legacy AxTLS. Here is diff you need apply to your Tasmota v6.4.1 code:

diff --git a/sonoff/sonoff.ino b/sonoff/sonoff.ino
index 5e51b219..d5e80ea6 100644
--- a/sonoff/sonoff.ino
+++ b/sonoff/sonoff.ino
@@ -33,6 +33,16 @@
 #ifdef USE_CONFIG_OVERRIDE
   #include "user_config_override.h"         // Configuration overrides for my_user_config.h
 #endif
+
+#ifdef USE_MQTT_TLS
+#ifdef ARDUINO_ESP8266_RELEASE_2_5_0_BETA2
+#define USING_AXTLS
+#include <ESP8266WiFi.h>
+#include "WiFiClientSecureAxTLS.h"
+using namespace axTLS;
+#endif // ARDUINO_ESP8266_RELEASE_2_5_0_BETA2
+#endif // USE_MQTT_TLS
+
 #include "sonoff_post.h"                    // Configuration overrides for all previous includes
 #include "i18n.h"                           // Language support configured by my_user_config.h
 #include "sonoff_template.h"                // Hardware configuration

At the moment, there is Arduino Core 2.5.0 beta 3, but I haven't found there any optimization around BearTLS. Maybe in the future, it will be usable.

[Jason2866]

@majherek
Could please test the latest TLS change in Tasmota? Please close, if it solves the issue.
Thx.

[ascillato2]

Hi,

Closing issue as there is no feedback. Please, when you have time, tell us if your issue is solved. Thanks.

[majherek]

Please open it again, I will check it on weekend, because now I am on delegation. What can I do about this...

[majherek]

@Jason2866 Still the same. I use now 2.5.0_BETA3. I saw some changes in support_wifi.ino made by @arendst, but commented out, similar to that made by @sislakd in this issue.

@sislakd Thanks ;-) I use your diff and it works perfectly (after change to BETA3 in my case).

0:00:00 Project sonoff Sonoff 12 Version 6.4.1.13(sonoff)-2_5_0_BETA3
00:00:00 WIF: Connecting to AP1 atomix in mode 11N as sonoff-0476...
00:00:04 WIF: Connected
18:07:50 MQT: Attempting connection...
18:07:50 MQT: Verify TLS fingerprint...
18:07:50 MQT: Verified using FingerprintCA
18:07:51 MQT: Connected
18:07:51 MQT: tele/sonoff/LWT = Online (retained)
18:07:51 MQT: cmnd/sonoff/POWER =
18:07:51 MQT: tele/sonoff/INFO1 = {"Module":"Sonoff Basic","Version":"6.4.1.13(sonoff)","FallbackTopic":"cmnd/sonoff12_fb/","GroupTopic":"sonoffs"}
18:07:51 MQT: tele/sonoff/INFO3 = {"RestartReason":"Software/System restart"}
18:07:51 MQT: stat/sonoff/RESULT = {"POWER":"OFF"}
18:07:51 MQT: stat/sonoff/POWER = OFF
18:07:54 CMD: STATUS 0
18:07:54 MQT: stat/sonoff/STATUS = {"Status":{"Module":1,"FriendlyName":["Sonoff 12"],"Topic":"sonoff","ButtonTopic":"0","Power":0,"PowerOnState":3,"LedState":1,"SaveData":1,"SaveState":1,"SwitchTopic":"0","SwitchMode":[0,0,0,0,0,0,0,0],"ButtonRetain":0,"SwitchRetain":0,"SensorRetain":0,"PowerRetain":0}}
18:07:54 MQT: stat/sonoff/STATUS1 = {"StatusPRM":{"Baudrate":115200,"GroupTopic":"sonoffs","OtaUrl":"http://sonoff-ota.majchrowski.waw.pl:8888/api/arduino/sonoff12.ino.bin","RestartReason":"Software/System restart","Uptime":"0T00:00:10","StartupUTC":"2019-02-02T17:07:44","Sleep":50,"BootCount":9,"SaveCount":11,"SaveAddress":"3F9000"}}
18:07:54 MQT: stat/sonoff/STATUS2 = {"StatusFWR":{"Version":"6.4.1.13(sonoff)","BuildDateTime":"2019-02-02T17:55:20","Boot":31,"Core":"2_5_0_BETA3","SDK":"3.0.0-dev(c0f7b44)"}}
18:07:54 MQT: stat/sonoff/STATUS3 = {"StatusLOG":{"SerialLog":2,"WebLog":0,"SysLog":2,"LogHost":"192.168.199.251","LogPort":514,"SSId":["atomix","MAJCOMNET HTC"],"TelePeriod":60,"SetOption":["00008009","558180C0","00000000"]}}
18:07:54 MQT: stat/sonoff/STATUS4 = {"StatusMEM":{"ProgramSize":425,"Free":2644,"Heap":16,"ProgramFlashSize":4096,"FlashSize":4096,"FlashChipId":"1640EF","FlashMode":3,"Features":["00000809","06082744","040003A0","000004C6","000000C0"]}}
18:07:54 MQT: stat/sonoff/STATUS5 = {"StatusNET":{"Hostname":"sonoff-0476","IPAddress":"192.168.20.12","Gateway":"192.168.20.254","Subnetmask":"255.255.255.0","DNSServer":"192.168.199.251","Mac":"EC:FA:BC:14:81:DC","Webserver":0,"WifiConfig":4}}
18:07:54 MQT: stat/sonoff/STATUS6 = {"StatusMQT":{"MqttHost":"mqtt.majchrowski.waw.pl","MqttPort":8883,"MqttClientMask":"sonoff12","MqttClient":"sonoff12","MqttUser":"sonoff","MqttType":1,"MAX_PACKET_SIZE":1000,"KEEPALIVE":15}}
18:07:54 MQT: stat/sonoff/STATUS7 = {"StatusTIM":{"UTC":"Sat Feb 02 17:07:54 2019","Local":"Sat Feb 02 18:07:54 2019","StartDST":"Sun Mar 31 02:00:00 2019","EndDST":"Sun Oct 27 03:00:00 2019","Timezone":99}}
18:07:54 MQT: stat/sonoff/STATUS10 = {"StatusSNS":{"Time":"2019-02-02T18:07:54"}}
18:07:54 MQT: stat/sonoff/STATUS11 = {"StatusSTS":{"Time":"2019-02-02T18:07:54","Uptime":"0T00:00:10","Vcc":3.144,"SleepMode":"Dynamic","Sleep":50,"LoadAvg":19,"POWER":"OFF","Wifi":{"AP":1,"SSId":"atomix","BSSId":"06:8D:DB:DB:97:47","Channel":11,"RSSI":70}}}

[tim-devel]

Hi, I can confirm this issue persists with 2.5.0 final. I am having WiFi stability issues with 2.3 and 2.4.2 so am desperate to try 2.5 but I am suffering the TLS fingerprint issues detailed above

[terba]

A quick hack is to set MqttFingerprint 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00. At the first connection it will be calculated (not correctly) and stored, as I understood. Works for me.