-
Notifications
You must be signed in to change notification settings - Fork 266
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack Trace using SSL example #55
Comments
FYI, I found that the issue was that my cert was generated using SHA512. I used the openssl defaults and everything worked fine. Feel free to close the issue, but you may want to note it as a caveat that SHA512 certs aren't supported currently. FYI, The reason I used SHA512 was because I generated my keys with this: Which was linked from this tutorial: |
Thank you for figuring this out. I've just done a few tests: I also note that test.mosquitto.org:8883 uses a certificate with an SHA512 certificate, which explains why I can't connect to that server. |
Further tests: |
I guess this is a bug in the 2.4 staging core? I'm not sure how to provide a test-case though, since the connection goes through many layers. I hardcoded the patterns, which is crude, but means I don't need to require that any other libraries be installed to use it. Also, I did not see MD5 as a legal signature in the reference docs here: |
MD5 is broken, and I hope no one is using it, I tested it because it listed in the tool I was generating the certificates from. Maybe they removed it from the standard? I'll make some amendments to the documentation. |
UPDATE
to
Sorry for the trouble. I would like to implement TLS using the arduino IDE, not with PlatformIO. I am using the staging 2.4.0-rc1 core with the appropriate Async libraries. When I added the TLS parts and try to compile I get the error; I understand that somehow I need to add the compiler flag I have been (and still am) using TLS fingerprint with |
I got it working with Arduino ide. I found you also need to import the esp wifi lib as the first thing of your sketch Example #if ASYNC_TCP_SSL_ENABLED // Before homie setup |
@timpur did you achieve stability while running over SSL? I'm running it with Arduino IDE, and it crashes and reboots the ESP12 several times while connecting to the MQTT broker (it reboots between 2 to 10 times, until it finally connects). Using SHA256 cert btw. |
Tbh haven't tested lately, but from memory it seemed fine. No crashes, just a bit longer to connect, but that would make sense. You can try a combo of these options. Try with better wifi signal. Also try with 160mhz over clock. I'd try the best case, both better wifi signal and over clock. Then work back to see which one make the most significant difference, assuming this effect the crashes at all. This might tell you if it's performance issues that's causing the crashes. Also not sure about this but in my tests I was using sha256 like you but I remember making sure the RSA key was only 2048. This might also effect it but not sure. The picture I get it try use the lowest security on the eap8266 that is still reasonable. Hope this helps. I'll try do some tests over the weekend and get back to you on these details. |
Tried overclocking the device and still the same behavior (I didn't test a better wifi signal because I have an access point like 50cm from my desk). And I'm using Let's Encrypt certificates, SHA256 and 2048 RSA Key, so it's the same as your tests. Maybe it's my code, I have to dig deeper in order to detect why it (sometimes) crashes on boot, I guess I'll do that when I have more time. |
Ill do some tests and get back to you with a sketch which is stable for me. |
I am using mqtt async and I want to implement tls, I followed this tutorial to program the mqtt of linux: https://myles.eftos.id.au/blog/2016/08/07/adding-tls/#.WnhwI5M-fR1 Now I am having trouble programming the esp8266 interface, if anyone can help me thank you, I already researched a lot on Google and found nothing consistent; my code: #include <ESP8266WiFi.h> #if ASYNC_TCP_SSL_ENABLED #define WIFI_SSID "MyHome" const char* host = "xxxx.xxxx.net.br"; AsyncMqttClient mqttClient; WiFiEventHandler wifiConnectHandler; } if (WiFi.isConnected()) /void onMqttUnsubscribe(uint16_t packetId) } wifiConnectHandler = WiFi.onStationModeGotIP(onWifiConnect); #if ASYNC_TCP_SSL_ENABLED void loop() { |
you defined |
Does this mean that I should just remove this line and the code will work? mqttClient.onMessage(onMqttMessage); |
sorry no should of added, use |
I made the change you said but I still can not connect to the linux server, is there any more detail I should do in esp?Thank you for your help |
Assuming the fingerprint is the same as your broker ssl fingerprint ? Assuming your broker certificate is the right format (see docs / known issues) Should be all g |
When I'm testing SSL connection I normally disable the fingerprint check on the esp and when working then work out the fingerprint |
Sorry for my experience! So I have to generate a FINGERPRINT of my linux server and for this there is the get-fingerprint.py script, but I can not generate this code I get the following error: |
I don't know what your doing sorry, this is beyond this repo, I recommend following a guide on the mqtt broker you are trying to set up. In that they should run through how to set up SSL and to get the fingerprint from the certificate. |
Thanks, I'm looking for a complete esp and linux tutorial with tls but I'm not finding |
I have now managed to create my fingerprint but I get the error on the linux side when esp tries to connect |
My question now is whether to load the ca.crt file into esp spiffs or only fingerprint resolves? |
So on the Linux side there are to ways you can set up the SSL certificate generate a CA certificate and then generate a server certificate from the CA or just create a server certificate. Rather way the esp only checks the server certificate fingerprint, it doesn't check certificate chaining (to my knowledge), so only use the server certificate not the CA certificate. Thus get the server certificate (the one directly used in the mqtt broker) and get the sha1 fingerprint of the certificate But as I said in one of my posts, I'd test SSL with no fingerprint check enabled on the esp, so you can just test the TLS, and then work out the certificate verification. |
Yes, now I understand. Debugging better I realized that my code can not activate SSL: according to this one above I tried to change #ifndef ASYNC_TCP_SSL_ENABLED #ifndef ASYNC_TCP_SSL_ENABLED but receive error |
I'm getting the following stack-trace when connecting to an SSL enabled mosquitto broker. Could this be related to my mosquitto configuration? I didn't modify anything other than the necessary vaeriables at the top of the code.
Build was:
platformio run --target upload
I am using Mosquitto as the broker if that is helpful. The only log messages from the broker are:
Stacktrace:
The text was updated successfully, but these errors were encountered: