Skip to content

[examples]: enhance example with docs, pytest setup, and standalone test server(IDFGH-16585) #902

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 21, 2025
Merged

[examples]: enhance example with docs, pytest setup, and standalone test server(IDFGH-16585) #902

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
254 changes: 249 additions & 5 deletions components/esp_websocket_client/examples/target/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,42 @@
# Websocket Sample application

This example will shows how to set up and communicate over a websocket.
This example shows how to set up and communicate over a websocket.

## Table of Contents

- [Hardware Required](#hardware-required)
- [Configure the project](#configure-the-project)
- [Pre-configured SDK Configurations](#pre-configured-sdk-configurations)
- [Server Certificate Verification](#server-certificate-verification)
- [Generating Self-signed Certificates](#generating-a-self-signed-certificates-with-openssl)
- [Build and Flash](#build-and-flash)
- [Testing with pytest](#testing-with-pytest)
- [Example Output](#example-output)
- [WebSocket Test Server](#websocket-test-server)
- [Python Flask Echo Server](#alternative-python-flask-echo-server)

## Quick Start

1. **Install dependencies:**
```bash
pip install -r esp-protocols/ci/requirements.txt
```

2. **Configure and build:**
```bash
idf.py menuconfig # Configure WiFi/Ethernet and WebSocket URI
idf.py build
```

3. **Flash and monitor:**
```bash
idf.py -p PORT flash monitor
```

4. **Run tests:**
```bash
pytest .
```

## How to Use Example

Expand All @@ -15,6 +51,20 @@ This example can be executed on any ESP32 board, the only required interface is
* Configure the websocket endpoint URI under "Example Configuration", if "WEBSOCKET_URI_FROM_STDIN" is selected then the example application will connect to the URI it reads from stdin (used for testing)
* To test a WebSocket client example over TLS, please enable one of the following configurations: `CONFIG_WS_OVER_TLS_MUTUAL_AUTH` or `CONFIG_WS_OVER_TLS_SERVER_AUTH`. See the sections below for more details.

### Pre-configured SDK Configurations

This example includes several pre-configured `sdkconfig.ci.*` files for different testing scenarios:

* **sdkconfig.ci** - Default configuration with WebSocket over Ethernet (IP101 PHY, ESP32, IPv6) and hardcoded URI.
* **sdkconfig.ci.plain_tcp** - WebSocket over plain TCP (no TLS, URI from stdin) using Ethernet (IP101 PHY, ESP32, IPv6).
* **sdkconfig.ci.mutual_auth** - WebSocket with mutual TLS authentication (client/server certificate verification, skips CN check) and URI from stdin.
* **sdkconfig.ci.dynamic_buffer** - WebSocket with dynamic buffer allocation, Ethernet (IP101 PHY, ESP32, IPv6), and hardcoded URI.

Example:
```
idf.py -DSDKCONFIG_DEFAULTS="sdkconfig.ci.plain_tcp" build
```

### Server Certificate Verification

* Mutual Authentication: When `CONFIG_WS_OVER_TLS_MUTUAL_AUTH=y` is enabled, it's essential to provide valid certificates for both the server and client.
Expand All @@ -26,7 +76,7 @@ This example can be executed on any ESP32 board, the only required interface is
Please note: This example represents an extremely simplified approach to generating self-signed certificates/keys with a single common CA, devoid of CN checks, lacking password protection, and featuring hardcoded key sizes and types. It is intended solely for testing purposes.
In the outlined steps, we are omitting the configuration of the CN (Common Name) field due to the context of a testing environment. However, it's important to recognize that the CN field is a critical element of SSL/TLS certificates, significantly influencing the security and efficacy of HTTPS communications. This field facilitates the verification of a website's identity, enhancing trust and security in web interactions. In practical deployments beyond testing scenarios, ensuring the CN field is accurately set is paramount for maintaining the integrity and reliability of secure communications

### Generating a self signed Certificates with OpenSSL
### Generating a self signed Certificates with OpenSSL manually
* The example below outlines the process for creating new certificates for both the server and client using OpenSSL, a widely-used command line tool for implementing TLS protocol:

```
Expand Down Expand Up @@ -63,6 +113,46 @@ Please see the openssl man pages (man openssl) for more details.
It is **strongly recommended** to not reuse the example certificate in your application;
it is included only for demonstration.

### Certificate Generation Options

#### Option 1: Manual OpenSSL Commands
Follow the step-by-step process in the section above to understand certificate generation.

#### Option 2: Automated Script
**Note:** Test certificates are already available in the example. If you want to regenerate them or create new ones, use the provided `generate_certs.sh` script:

```bash
# Auto-detect local IP address (recommended for network testing)
./generate_certs.sh

# Specify custom hostname or IP address
./generate_certs.sh 192.168.1.100

# Use localhost (for local-only testing)
./generate_certs.sh localhost
```

This script automatically generates all required certificates in the correct directories and cleans up temporary files.

**Important:** The server certificate's Common Name (CN) must match the hostname or IP address that ESP32 clients use to connect. If not specified, the script attempts to auto-detect your local IP address. Certificate verification will fail if there's a mismatch between the CN and the actual connection address.

**CN Mismatch Handling:**
If you encounter certificate verification failures due to CN mismatch, you have two options:

1. **Recommended (Secure):** Regenerate certificates with the correct CN:
```bash
./generate_certs.sh <actual_hostname_or_ip>
```

2. **Testing Only (Less Secure):** Skip CN verification by enabling `CONFIG_WS_OVER_TLS_SKIP_COMMON_NAME_CHECK=y` in `idf.py menuconfig`.

⚠️ **WARNING:** This option disables an important security check and should **NEVER** be used in production environments. It makes your application vulnerable to man-in-the-middle attacks.

#### Option 3: Online Certificate Generators
- **mkcert**: `install mkcert` then `mkcert -install` and `mkcert localhost`
- **Let's Encrypt**: For production certificates (free, automated renewal)
- **Online generators**: Search for "self-signed certificate generator" online

### Build and Flash

Build the project and flash it to the board, then run monitor tool to view serial output:
Expand All @@ -73,7 +163,36 @@ idf.py -p PORT flash monitor

(To exit the serial monitor, type ``Ctrl-]``.)

See the Getting Started Guide for full steps to configure and use ESP-IDF to build projects.
See the [ESP-IDF Getting Started Guide](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/get-started/index.html) for full steps to configure and use ESP-IDF to build projects.

## Testing with pytest

### Install Dependencies

Before running the pytest tests, you need to install the required Python packages:

```
pip install -r esp-protocols/ci/requirements.txt
```

### Run pytest

After installing the dependencies, you can run the pytest tests:

Run all tests in current directory:
```
pytest .
```

Run specific test file:
```
pytest pytest_websocket.py
```

To specify the target device or serial port, use:
```
pytest --target esp32 --port /dev/ttyUSB0
```

## Example Output

Expand Down Expand Up @@ -105,9 +224,101 @@ W (9162) WEBSOCKET: Received=hello 0003
```


## Python Flask echo server
## WebSocket Test Server

### Standalone Test Server

This example includes a standalone WebSocket test server (`websocket_server.py`) that can be used for testing your ESP32 WebSocket client:

#### Quick Start

**Plain WebSocket (No TLS):**
```bash
# Plain WebSocket server (no encryption)
python websocket_server.py

# Custom port
python websocket_server.py --port 9000
```

**Server-Only Authentication:**
```bash
# TLS WebSocket server (ESP32 verifies server)
python websocket_server.py --tls

# Custom port with TLS
python websocket_server.py --port 9000 --tls
```

**Mutual Authentication:**
```bash
# TLS with client certificate verification (both verify each other)
python websocket_server.py --tls --client-verify

# Custom port with mutual authentication
python websocket_server.py --port 9000 --tls --client-verify
```

#### Server Features
- **Echo functionality** - Automatically echoes back received messages
- **TLS support** - Secure WebSocket (WSS) connections
- **Client certificate verification** - Mutual authentication support
- **Binary and text messages** - Handles both data types
- **Auto IP detection** - Shows connection URL with your local IP

#### Verification Modes

**Plain WebSocket (No TLS):**
- No certificate verification on either side
- Use for local testing or trusted networks
- Configuration: `CONFIG_WS_OVER_TLS_MUTUAL_AUTH=n` and `CONFIG_WS_OVER_TLS_SERVER_AUTH=n`

**Server-Only Authentication (`--tls` without `--client-verify`):**
- ESP32 verifies the server's certificate
- Server does NOT verify the ESP32's certificate
- Use when you trust the client but want to verify the server
- Configuration: `CONFIG_WS_OVER_TLS_SERVER_AUTH=y`

**Mutual Authentication (`--tls --client-verify`):**
- ESP32 verifies the server's certificate
- Server verifies the ESP32's certificate
- Use when both parties need to authenticate each other
- Configuration: `CONFIG_WS_OVER_TLS_MUTUAL_AUTH=y`

#### Usage Examples

**Plain WebSocket (No TLS or Client Verification):**
```bash
# Basic server (port 8080)
python websocket_server.py

# Custom port
python websocket_server.py --port 9000
```

By default, the `wss://echo.websocket.org` endpoint is used. You can setup a Python websocket echo server locally and try the `ws://<your-ip>:5000` endpoint. To do this, install Flask-sock Python package
**Server-Only Authentication (ESP32 verifies server, server doesn't verify ESP32):**
```bash
# TLS server without client verification
python websocket_server.py --tls

# Custom port with TLS
python websocket_server.py --port 9000 --tls
```

**Mutual Authentication (Both ESP32 and server verify each other's certificates):**
```bash
# TLS server with client certificate verification
python websocket_server.py --tls --client-verify

# Custom port with mutual authentication
python websocket_server.py --port 9000 --tls --client-verify
```

The server will display the connection URL (e.g., `wss://192.168.1.100:8080`) that you can use in your ESP32 configuration.

### Alternative: Python Flask Echo Server

By default, the `wss://echo.websocket.org` endpoint is used. You can also setup a Python Flask websocket echo server locally and try the `ws://<your-ip>:5000` endpoint. To do this, install Flask-sock Python package

```
pip install flask-sock
Expand Down Expand Up @@ -135,3 +346,36 @@ if __name__ == '__main__':
# gunicorn -b 0.0.0.0:5000 --workers 4 --threads 100 module:app
app.run(host="0.0.0.0", debug=True)
```

## Troubleshooting

### Common Issues

**Connection failed:**
- Verify WiFi/Ethernet configuration in `idf.py menuconfig`
- Check if the WebSocket server is running and accessible
- Ensure the URI is correct (use `wss://` for TLS, `ws://` for plain TCP)

**TLS certificate errors:**
- **Certificate verification failed:** The most common cause is CN mismatch. Ensure the server certificate's Common Name matches the hostname/IP you're connecting to:
- Check your connection URI (e.g., if connecting to `wss://192.168.1.100:8080`, the certificate CN must be `192.168.1.100`)
- Regenerate certificates with the correct CN: `./generate_certs.sh <your_hostname_or_ip>`
- For testing only, you can bypass CN check with `CONFIG_WS_OVER_TLS_SKIP_COMMON_NAME_CHECK=y` (NOT recommended for production)
- Verify certificate files are properly formatted and accessible
- Ensure the CA certificate used to sign the server certificate is loaded on the ESP32

**Build errors:**
- Clean build: `idf.py fullclean`
- Check ESP-IDF version compatibility
- Verify all dependencies are installed

**Test failures:**
- Ensure the device is connected and accessible via the specified port
- Check that the target device matches the configuration (`--target esp32`)
- Verify pytest dependencies are installed correctly

### Getting Help

- Check the [ESP-IDF documentation](https://docs.espressif.com/projects/esp-idf/)
- Review the [WebSocket client component documentation](../../README.md)
- Report issues on the [ESP Protocols repository](https://github.com/espressif/esp-protocols)
85 changes: 85 additions & 0 deletions components/esp_websocket_client/examples/target/generate_certs.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
#!/bin/bash
# Generate CA, Server, and Client certificates automatically
#
# Usage: ./generate_certs.sh [SERVER_CN]
# SERVER_CN: The Common Name (hostname or IP) for the server certificate.
# This should match the hostname/IP that ESP32 clients will use to connect.
# If not provided, the script will attempt to auto-detect the local IP address.
# Falls back to "localhost" if auto-detection fails.
#
# IMPORTANT: The server certificate's Common Name (CN) must match the hostname or IP address
# that ESP32 clients use to connect. If there's a mismatch, certificate verification will fail
# during the TLS handshake. For production use, always specify the correct hostname/IP.

# Get server hostname/IP from command line argument or auto-detect
if [ -n "$1" ]; then
SERVER_CN="$1"
echo "Using provided SERVER_CN: $SERVER_CN"
else
# Attempt to auto-detect local IP address
# Try multiple methods for better compatibility across different systems
if command -v hostname >/dev/null 2>&1; then
# Try to get IP from hostname command (works on most Unix systems)
SERVER_CN=$(hostname -I 2>/dev/null | awk '{print $1}')
fi

# If the above failed, try ifconfig (macOS and some Linux systems)
if [ -z "$SERVER_CN" ] && command -v ifconfig >/dev/null 2>&1; then
SERVER_CN=$(ifconfig | grep "inet " | grep -v 127.0.0.1 | awk '{print $2}' | head -n1)
fi

# If still empty, try ip command (modern Linux systems)
if [ -z "$SERVER_CN" ] && command -v ip >/dev/null 2>&1; then
SERVER_CN=$(ip -4 addr show | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | grep -v 127.0.0.1 | head -n1)
fi

# Fall back to localhost if auto-detection failed
if [ -z "$SERVER_CN" ]; then
SERVER_CN="localhost"
echo "Warning: Could not auto-detect IP address. Using 'localhost' as SERVER_CN."
echo " If your server runs on a different machine or IP, re-run with: ./generate_certs.sh <hostname_or_ip>"
else
echo "Auto-detected SERVER_CN: $SERVER_CN"
fi
fi

echo "Note: ESP32 clients must connect using: $SERVER_CN"
echo ""

# Create directories if they don't exist
mkdir -p main/certs/server

echo "Generating CA certificate..."
openssl genrsa -out main/certs/ca_key.pem 2048
openssl req -new -x509 -days 3650 -key main/certs/ca_key.pem -out main/certs/ca_cert.pem -subj "/C=US/ST=State/L=City/O=Organization/CN=TestCA"

echo "Generating Server certificate with CN=$SERVER_CN..."
openssl genrsa -out main/certs/server/server_key.pem 2048
openssl req -new -key main/certs/server/server_key.pem -out server_csr.pem -subj "/C=US/ST=State/L=City/O=Organization/CN=$SERVER_CN"
openssl x509 -req -days 3650 -in server_csr.pem -CA main/certs/ca_cert.pem -CAkey main/certs/ca_key.pem -CAcreateserial -out main/certs/server/server_cert.pem

echo "Generating Client certificate..."
openssl genrsa -out main/certs/client_key.pem 2048
openssl req -new -key main/certs/client_key.pem -out client_csr.pem -subj "/C=US/ST=State/L=City/O=Organization/CN=TestClient"
openssl x509 -req -days 3650 -in client_csr.pem -CA main/certs/ca_cert.pem -CAkey main/certs/ca_key.pem -CAcreateserial -out main/certs/client_cert.pem

# Clean up CSR files
rm server_csr.pem client_csr.pem

echo "Certificates generated successfully!"
echo ""
echo "Generated files:"
echo " - main/certs/ca_cert.pem (CA certificate)"
echo " - main/certs/ca_key.pem (CA private key)"
echo " - main/certs/client_cert.pem (Client certificate)"
echo " - main/certs/client_key.pem (Client private key)"
echo " - main/certs/server/server_cert.pem (Server certificate with CN=$SERVER_CN)"
echo " - main/certs/server/server_key.pem (Server private key)"
echo ""
echo "IMPORTANT: Configure ESP32 clients to connect to: $SERVER_CN"
echo " The server certificate is valid for this hostname/IP only."
echo ""
echo "Note: If the CN doesn't match your connection hostname/IP, you have two options:"
echo " 1. Regenerate certificates with correct CN: ./generate_certs.sh <correct_hostname_or_ip>"
echo " 2. Skip CN verification (TESTING ONLY): Enable CONFIG_WS_OVER_TLS_SKIP_COMMON_NAME_CHECK=y"
echo " WARNING: Option 2 reduces security and should NOT be used in production!"
Loading
Loading