SSL not working when other SSL clients (like PubSubClient) are used

Links2004 / arduinoWebSockets

arduinoWebSockets

GNU Lesser General Public License v2.1

1.88k stars 555 forks source link

SSL not working when other SSL clients (like PubSubClient) are used #630

Closed sivar2311 closed 3 years ago

sivar2311 commented 3 years ago

Hi Markus!

We have trouble with WSS (SSL) connection when other SSL clients (like PubSubClient) are running in the same sketch. For Websocket connection we use simply webSocket.beginSSL() (no cert's here).

The MQTT SSL part is implemented like this:

BearSSL::X509List cert(cacert);
BearSSL::X509List client_crt(client_cert);
BearSSL::PrivateKey key(privkey);
PubSubClient client(net);

I don't have much knowledge about SSL and what's happening in background here.

I tried WebSocket.beginSSLwithCa(...) (using with certificates) which worked on websocket side, but still blocking the pubsub client.

Changing back to ws (without SSL) - pubsubclient started to work.

Do you have any idea how to run wss client and pubsubclient using SSL in the same sketch?

Kind regards Boris

Links2004 commented 3 years ago

Hi, the problem is that the ESP8266 has internally only one WiFiClientSecureCtx where the CA and client certs are stored. this WiFiClientSecureCtx is shared for all SSL connections, so creating 2 connections with multiple settings is currently not impossible as fare I understand the code.

https://github.com/esp8266/Arduino/blob/85e2ffffe1af06e9810c2b299621e4c91f119c93/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h#L291

and every configuration of for e.g. of the CA or client cert is started with a cleanup of the WiFiClientSecureCtx. which makes clear why websockets or pubsub is working but not both.

https://github.com/esp8266/Arduino/blob/e3fe7a5776606890874a40550f4c8608256e653d/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp#L98-L104

sivar2311 commented 3 years ago

Thank you Markus for the detailed answer!

I think that's the point where BearSSL::CertStore comes into play - which I'm going to test now.

Danke nochmal's und Grüße aus Schleswig-Holstein :)

sivar2311 commented 3 years ago

Hi Markus,

I have now worked intensively with the BearSSL::X509List. Since it is a list, I have added several certificates using assign().

It took a while but now the whole thing is clear to me.

The BearSSL::X509List can store multiple certificates, but there can only be one active SSL connection at a time.

Too bad, but that's the way it is. Thanks again for your help!