search

espressif / arduino-esp32

Arduino core for the ESP32
GNU Lesser General Public License v2.1
13.37k stars 7.37k forks source link

Mutual TLS. How to format client cert and key #4722

Closed Inkomidwastaken closed 3 years ago

Inkomidwastaken commented 3 years ago

Hardware:

Board: ESP32 Dev Module Core Installation version: 1.0.4 IDE name: Arduino IDE Flash Frequency: 80Mhz PSRAM enabled: no Upload Speed: 921600 Computer OS: Windows 10

Description:

I'm trying to establish mutual TLS connection to my mosquitto(1.6.12) MQTT broker running on raspberry pi. I already did so by connecting via MQTTX to my broker (using the same certificates and keys) Using the ESP32, I manage to connect to the broker with server authentification only.

But I can't connect using the ESP and mutual TLS. In the verbose error logs it reads: [E][ssl_client.cpp:33] _handle_error(): [start_ssl_client():167]: (-8576) X509 - The CRT/CRL/CSR format is invalid, e.g. different type expected Since thw connection using only server authentication was succesfull, i guess either the client key, client cert or both are formatted wrong.

My Sketch is based on this example.

serial of the ESP32:

Attempting MQTT connection...failed, rc=-2 try again in 5 seconds
Attempting MQTT connection...failed, rc=-2 try again in 5 seconds

Logs on the broker:

1610651907: mosquitto version 1.6.12 starting
1610651907: Config loaded from /etc/mosquitto/conf.d/TLSmosquitto.conf.
1610651907: Opening ipv4 listen socket on port 8883.
1610651907: Opening ipv6 listen socket on port 8883.
1610651907: mosquitto version 1.6.12 running
1610651913: New connection from 192.168.2.73 on port 8883.
1610651913: Socket error on client <unknown>, disconnecting.
1610651918: New connection from 192.168.2.73 on port 8883.
1610651918: Socket error on client <unknown>, disconnecting.

Sketch:


/*
  Wifi secure connection example for ESP32
  Running on TLS 1.2 using mbedTLS
  Suporting the following chipersuites:
  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_CCM","TLS_DHE_RSA_WITH_AES_256_CCM","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","TLS_DHE_RSA_WITH_AES_256_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_DHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8","TLS_DHE_RSA_WITH_AES_256_CCM_8","TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384","TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384","TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384","TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256","TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CCM","TLS_DHE_RSA_WITH_AES_128_CCM","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_DHE_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8","TLS_DHE_RSA_WITH_AES_128_CCM_8","TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256","TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256","TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256","TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256","TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA","TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA","TLS_DHE_PSK_WITH_AES_256_GCM_SHA384","TLS_DHE_PSK_WITH_AES_256_CCM","TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384","TLS_DHE_PSK_WITH_AES_256_CBC_SHA384","TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA","TLS_DHE_PSK_WITH_AES_256_CBC_SHA","TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384","TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384","TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384","TLS_PSK_DHE_WITH_AES_256_CCM_8","TLS_DHE_PSK_WITH_AES_128_GCM_SHA256","TLS_DHE_PSK_WITH_AES_128_CCM","TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256","TLS_DHE_PSK_WITH_AES_128_CBC_SHA256","TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA","TLS_DHE_PSK_WITH_AES_128_CBC_SHA","TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256","TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256","TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256","TLS_PSK_DHE_WITH_AES_128_CCM_8","TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA","TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_256_CCM","TLS_RSA_WITH_AES_256_CBC_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384","TLS_ECDH_RSA_WITH_AES_256_CBC_SHA","TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384","TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_256_CCM_8","TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384","TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256","TLS_RSA_WITH_CAMELLIA_256_CBC_SHA","TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384","TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384","TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384","TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_128_CCM","TLS_RSA_WITH_AES_128_CBC_SHA256","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA","TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_128_CCM_8","TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256","TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256","TLS_RSA_WITH_CAMELLIA_128_CBC_SHA","TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256","TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256","TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256","TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256","TLS_RSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA","TLS_RSA_PSK_WITH_AES_256_GCM_SHA384","TLS_RSA_PSK_WITH_AES_256_CBC_SHA384","TLS_RSA_PSK_WITH_AES_256_CBC_SHA","TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384","TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384","TLS_RSA_PSK_WITH_AES_128_GCM_SHA256","TLS_RSA_PSK_WITH_AES_128_CBC_SHA256","TLS_RSA_PSK_WITH_AES_128_CBC_SHA","TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256","TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256","TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA","TLS_PSK_WITH_AES_256_GCM_SHA384","TLS_PSK_WITH_AES_256_CCM","TLS_PSK_WITH_AES_256_CBC_SHA384","TLS_PSK_WITH_AES_256_CBC_SHA","TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384","TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384","TLS_PSK_WITH_AES_256_CCM_8","TLS_PSK_WITH_AES_128_GCM_SHA256","TLS_PSK_WITH_AES_128_CCM","TLS_PSK_WITH_AES_128_CBC_SHA256","TLS_PSK_WITH_AES_128_CBC_SHA","TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256","TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256","TLS_PSK_WITH_AES_128_CCM_8","TLS_PSK_WITH_3DES_EDE_CBC_SHA","TLS_EMPTY_RENEGOTIATION_INFO_SCSV"]
  2017 - Evandro Copercini - Apache 2.0 License.
*/

#include <WiFiClientSecure.h>
#include <PubSubClient.h>
const char* ssid     = "Nudeldickedirn";     // your network SSID (name of wifi network)
const char* password = "Bennistinkt"; // your network password

const char* mqtt_server = "192.168.2.105";

//const char*  server = "www.howsmyssl.com";  // Server URL

// www.howsmyssl.com root certificate authority, to verify the server
// change it to your server root CA
// SHA1 fingerprint is broken now!

const char* test_root_ca= \
    "-----BEGIN CERTIFICATE-----\n" \
    "MIIDuzCCAqOgAwIBAgIUTZjwvls6Hin+Wx25xo1PswXBWFEwDQYJKoZIhvcNAQEL\n" \
    "BQAwbTELMAkGA1UEBhMCREUxEDAOBgNVBAgMB0JhdmFyaWExDzANBgNVBAcMBk11\n" \
    "bmljaDETMBEGA1UECgwKSGFyYmF1ZXJUQTEOMAwGA1UECwwFSFRBSE0xFjAUBgNV\n" \
    "BAMMDXhYeEdhbWVyUEN4WHgwHhcNMjAxMjMwMTU1NTIzWhcNMjExMjMwMTU1NTIz\n" \
    "WjBtMQswCQYDVQQGEwJERTEQMA4GA1UECAwHQmF2YXJpYTEPMA0GA1UEBwwGTXVu\n" \
    "aWNoMRMwEQYDVQQKDApIYXJiYXVlclRBMQ4wDAYDVQQLDAVIVEFITTEWMBQGA1UE\n" \
    "AwwNeFh4R2FtZXJQQ3hYeDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n" \
    "ANkqD0pHuUldSTU75yBdYbK9j8//rpxEivTYg7Rmz2QOqwwW5zX4KVs4bcJMuvUf\n" \
    "AUACjBBho4ZMeuxUowsLfvfyw7vyhFho1erUlQxsTo4XwaBrmOxYxAqU60qEIXRB\n" \
    "G22FNA+9JcCoAzcEGfgPvdLkz/wrttN+e9Rlpb/YHRUBb5o7o+ZL8KsDaLVdTY9s\n" \
    "FNB0xqUPDNL1ddy7iMKNYoZIFr86BF5LuU+wMTb4wwJ9LDl7jrQNbg/+gLeCVqVi\n" \
    "liugy7exOVXoQTiGBj9P5FzubKmKqt1tnAfl6XASem1eZUzGuaYrawXQlz6JQ/IM\n" \
    "7V/TE8Fi32cMgki99k8oM8MCAwEAAaNTMFEwHQYDVR0OBBYEFAQt1B1GFv8u8V21\n" \
    "qIU2Otb5s1oXMB8GA1UdIwQYMBaAFAQt1B1GFv8u8V21qIU2Otb5s1oXMA8GA1Ud\n" \
    "EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAL7LlXxqlN8fd8gVSK7GBPGK\n" \
    "SfdSTJ2HnIZJZbTc56tjPzigccU5cKIdyrtZGITIzjwWUY8dUyhgWYp0c+2ITEdU\n" \
    "F2+gYo7bu+0g+sDuVGk2MZ2p3HStiNbRymDeGk9PKSodbq2WWWRi6fKuR7Jb42C+\n" \
    "UJ9GHIQH/M1QipCIDZIZK2O80fkaWZBTOTrgNuf5JHkDrO5mIl0aB/ZTvltCVdrj\n" \
    "TdvwB4MPPbLVO7c9+PnVcoHoATEoHZqDzf7WmoB43+NIuQgWoMjTR5DUYmMrkjTZ\n" \
    "99S0R/jQhz7IQ8ua9Kl05qKZ26HaWx67RGCcJnIhX7SobOPssqcvMoblnHVDdbQ=\n" \
    "-----END CERTIFICATE-----\n";

// You can use x.509 client certificates if you want
const char* test_client_key = \
    "-----BEGIN RSA PRIVATE KEY-----\n" \
    "MIIEpAIBAAKCAQEA1xklySJym2NnO0fTSl3E3CY0jpEHpxjxD8S8G7aHbJgCDq+b\n" \
    "0TNnpivg13wMwDvG34wCPOmHJAUWBRuDOcIeU0goCVc/PnwZOwkJl5S+8WcTywMn\n" \
    "2Nnv0IjbFubDBDmi+Lf1eSlQkZzQmOB8cDpbN8ZAmZcOmWhU569t0Fi8Pf6oWeyv\n" \
    "fYGzXt8y+DCMa40a1Lj1mXbF/Qmjr/xkMEVEyLGdV41ujn/oo2kv+urUx/tOiJ4h\n" \
    "QXRZ3nX1hW1KmQtRr4gRxuc+htM/B+/i2QKkeHLk5obrfXML8IJZ76jqjsgpOU/j\n" \
    "vkkqGkcjcrIoAiwTB+jgM7XnCo3fGPJQ4PC3UwIDAQABAoIBABjrv/X6uL6KGMbE\n" \
    "fpVqIcnD32j5IqLYf+1sxMKNNkl9nxdmfy4Qv5yADu/IXo3THyp9RTEbeV3R/Qgg\n" \
    "dOa3N948SO80HY62wBGX7XWTdT/wyllGB1LXhTJq+L9Bgyy1JM2eOqGMCNqmCYD8\n" \
    "2U4DZNgkbw2cc8OQU+335Eg0T7L63Ms55UPgjgkdX/WUIpPOQ6yFSzH9v9ayfMx+\n" \
    "yxZSSlrp+KByBsBbMAYcJL2DzXnhh1VMhyhL7BQGJTt5dVGfKplydU7W7s6ZfD0D\n" \
    "xnCEKU4mfV8dj21mVzTb1tHNQQbMwXWDv6g+u6Vz3jHspfYQPZw/nSLUo2G2UzpE\n" \
    "snpy0vkCgYEA81M1EH3oQKy15qxr1ofAaR3PD86xVwmU7rL94iwanDDD2r1DVilr\n" \
    "WgUf3ArxaN19cfc0XtIOm+GAAN25Tdf0UzShyHar4A3y7hE+lpDgEPFGLAvSAFfm\n" \
    "zaqmzBIFub6G4NSUyqOxROWSz0yu0w8WExQnQDEYgbSfEAeTDPr1KfUCgYEA4k2H\n" \
    "oLEdyIvQL6O6dK+/oVYNAToIkPRjkBq2CL0VBjbAF2qPcOJvirKCjDg91ILrDuCD\n" \
    "iUsvPuImS3N0cOaQmPn4bvabzn1zn6wDRzb0KAiDa478Chk/5DZyvods0FGPdbKb\n" \
    "KfYzj/epld3Ve6F0WJtY7RofOeYKsYNmUfyHJycCgYBn4FvFAJtIEPNO2Mjouudv\n" \
    "eKRO8URQDe0gwhUUmxN5HnBeT3IRtHj54zoorBtHU1ccchZPbImEDo6g0ActrkXF\n" \
    "x7BRbigN7KaK752ylYKyeO4mG525O81ye6ndcMw08ZuPG/GxWJRy/zbffLMds1EP\n" \
    "MAlZpBv8M2m8ZB9o6TIEiQKBgQCsaFag1O8U33efI8Skq1R6TL2hpp3qGVZU7hSq\n" \
    "+aqvzjxwWo2nectyxmbw/tQUOB1uexubGH2JEfAM4Yvfi7iz4xUjLJwtJ6RUDE9/\n" \
    "DN3cNggxhIB+DRiA+/5VK4V5+/kouQa/ZEOKNiur8pJ3Gt0xuEB6esE5cgnJjYsB\n" \
    "gTtSVwKBgQDXdQtHykZNaF8J+vrxKF2o3HFhNHz4jY4D7yVaNxDRnEqfwWmohSyA\n" \
    "Ha3tG/QCdrTp08eN0I0z9Hkr5JFYjygKI96X4q3HFT4UKeINqGqnku/lY/I1rpUw\n" \
    "wE5gjI60ptbNUHYcM/53Y9eXSgyU8x2eouTwylCpzBUV7TE9STMJ+Q==\n" \
    "-----END RSA PRIVATE KEY-----\n";

const char* test_client_cert = \
    "-----BEGIN CERTIFICATE-----\n" \
    "MIIDYjCCAkoCFHjcLUB7QxraDGpbjwkqxTSTnBDnMA0GCSqGSIb3DQEBCwUAMG0x\n" \
    "CzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMQ8wDQYDVQQHDAZNdW5pY2gx\n" \
    "EzARBgNVBAoMCkhhcmJhdWVyVEExDjAMBgNVBAsMBUhUQUhNMRYwFAYDVQQDDA14\n" \
    "WHhHYW1lclBDeFh4MB4XDTIwMTIzMDE3MjI1M1oXDTIxMTIzMDE3MjI1M1owbjEL\n" \
    "MAkGA1UEBhMCREUxEDAOBgNVBAgMB0JhdmFyaWExDzANBgNVBAcMBk11bmljaDEV\n" \
    "MBMGA1UECgwMSGFyYmF1ZXJNUVRUMREwDwYDVQQLDAhIYkNsaWVudDESMBAGA1UE\n" \
    "AwwJZXNwcmVzc2lmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1xkl\n" \
    "ySJym2NnO0fTSl3E3CY0jpEHpxjxD8S8G7aHbJgCDq+b0TNnpivg13wMwDvG34wC\n" \
    "POmHJAUWBRuDOcIeU0goCVc/PnwZOwkJl5S+8WcTywMn2Nnv0IjbFubDBDmi+Lf1\n" \
    "eSlQkZzQmOB8cDpbN8ZAmZcOmWhU569t0Fi8Pf6oWeyvfYGzXt8y+DCMa40a1Lj1\n" \
    "mXbF/Qmjr/xkMEVEyLGdV41ujn/oo2kv+urUx/tOiJ4hQXRZ3nX1hW1KmQtRr4gR\n" \
    "xuc+htM/B+/i2QKkeHLk5obrfXML8IJZ76jqjsgpOU/jvkkqGkcjcrIoAiwTB+jg\n" \
    "M7XnCo3fGPJQ4PC3UwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQC67HhDSpUx/UY3\n" \
    "LElscA8LFaX2bVq6t20YurhXXifEw5RE5MUOQgIlgRGsLSstn/6MMXKk+knI8y+M\n" \
    "okk02GVCjwetIDuR+XPS2ICmNBBKRFkGeTFwAVcsefpU1BgIff9QXl0hwfGBIlEd\n" \
    "vwKhuieQ22RRI8iiDNc1Vl9IAgV4iD7Us63EJ/e6snD/5WMoSvaTvWsOqZLiCIaN\n" \
    "c2JbhHNuoxM8Otq8JPGNDHz2t4YwTYaeQUPP4xiYBKik0eMQ/9apdXV7xolw8aPu\n" \
    "EYVAPsZChXTLRZUJtnC0MoFXxRFsoImP5ugsYVY4vugv9lumRwHb8QVsC0IQdN2V\n" \
    "Wv9qJYXT\n" \
    "-----END CERTIFICATE-----\n";
//to verify the client

WiFiClientSecure wsclient;
PubSubClient client(wsclient);

void setup_wifi() {
  delay(10);
  // We start by connecting to a WiFi network

  Serial.print("Attempting to connect to SSID: ");
  Serial.println(ssid);

  WiFi.begin(ssid, password);
  //delay(150);
  //WiFi.setHostname("node1");

  while (WiFi.status() != WL_CONNECTED) {
    delay(500);
    Serial.print(".");
  }

  Serial.println("");
  Serial.println("WiFi connected");

  Serial.print("Local IP: ");
  Serial.println(WiFi.localIP());
  Serial.print("Subnet Mask: ");
  Serial.println(WiFi.subnetMask());
  Serial.print("Gateway IP: ");
  Serial.println(WiFi.gatewayIP());
  Serial.print("DNS 1: ");
  Serial.println(WiFi.dnsIP(0));
  Serial.print("DNS 2: ");
  Serial.println(WiFi.dnsIP(1));
  Serial.print("Hostname: ");
  Serial.println(WiFi.getHostname());

}

void reconnect() {
  // Loop until we're reconnected
  while (!client.connected()) {
    Serial.print("Attempting MQTT connection...");
    // Attempt to connect
    if (client.connect("ESP32Client")) {
      Serial.println("connected");

      // Once connected, publish an announcement...
      client.publish("testtopic", "hello world");

      // Subscribe
      client.subscribe("testtopic/Win");

    } else {
      Serial.print("failed, rc=");
      Serial.print(client.state());
      Serial.println(" try again in 5 seconds");
      // Wait 5 seconds before retrying
      delay(5000);
    }
  }
}

void callback(char* topic, byte* payload, unsigned int length) {
  Serial.print("Message arrived [");
  Serial.print(topic);
  Serial.print("] ");
  for (int i = 0; i < length; i++) {
    Serial.print((char)payload[i]);
  }
  Serial.println();
}

void setup() {
  //Initialize serial and wait for port to open:
  Serial.begin(115200);
  delay(100);

  setup_wifi();
  wsclient.setCACert(test_root_ca);

  client.setServer(mqtt_server, 8883);
  client.setCallback(callback);

  wsclient.setCertificate(test_client_key); // for client verification
  wsclient.setPrivateKey(test_client_cert);  // for client verification
}

void loop() {
  //MQTT
  if (!client.connected()) {
    reconnect();
  }
  client.loop();

  //Serial.print("Attempting MQTT hello there!");
  client.publish("testtopic/ESP", "hello there!");
  delay(3000); // Delay a second between loops.
}

Debug Messages:

Attempting MQTT connection...[V][ssl_client.cpp:56] start_ssl_client(): Free internal heap before TLS 264792
[V][ssl_client.cpp:58] start_ssl_client(): Starting socket
[V][ssl_client.cpp:93] start_ssl_client(): Seeding the random number generator
[V][ssl_client.cpp:102] start_ssl_client(): Setting up the SSL/TLS structure...
[V][ssl_client.cpp:115] start_ssl_client(): Loading CA cert
[V][ssl_client.cpp:163] start_ssl_client(): Loading CRT cert
[E][ssl_client.cpp:33] _handle_error(): [start_ssl_client():167]: (-8576) X509 - The CRT/CRL/CSR format is invalid, e.g. different type expected
[E][WiFiClientSecure.cpp:132] connect(): start_ssl_client: -8576
[V][ssl_client.cpp:248] stop_ssl_socket(): Cleaning SSL connection.
-2 try again in 5 seconds
Inkomidwastaken commented 3 years ago

Solved it! the variables for cert and key got mixed up in the example I used:

wsclient.setCertificate(test_client_key); // for client verification
wsclient.setPrivateKey(test_client_cert);  // for client verification

when it should habe been:

wsclient.setCertificate(test_client_cert); // for client verification
wsclient.setPrivateKey(test_client_key);  // for client verification
Inkomidwastaken commented 3 years ago

Solved it! the variables for cert and key got mixed up in the example I used:

wsclient.setCertificate(test_client_key); // for client verification
wsclient.setPrivateKey(test_client_cert);  // for client verification

when it should habe been:

wsclient.setCertificate(test_client_cert); // for client verification
wsclient.setPrivateKey(test_client_key);  // for client verification
linxcow commented 2 years ago

I'm struggling to understand the example.

if i would make a secure connection to "io.adafruit.com" can i use the root certicate pem in my browser for this site ?

or do i need all three certificates to make a secure connection? client.setCACert(test_root_ca); //client.setCertificate(test_client_cert); // for client verification //client.setPrivateKey(test_client_key); // for client verification

and where do i get these certificates in my browser?