MQTT with SSL/TLS

[sw-tt-chandershekharsuthar]

I,m done with mqtt with 1883 port its going good, now want to connect mqtt with port 8883 for security point of view so did you try that I'm facing problem like Client not connected (Error code -2) don't know what is going wrong way ...I'm working on Arduino ESP8266 or nodemcu

[knolleary]

What network client are you using with the PubSubClient? Is it one that supports SSL?

[sw-tt-chandershekharsuthar]

trying to send data in Azure cloud

[knolleary]

That's nice, but not what I was asking.

Have you modified your ESP code to use a network client that supports SSL?

The example sketch this library provides uses WiFiClient - https://github.com/knolleary/pubsubclient/blob/master/examples/mqtt_esp8266/mqtt_esp8266.ino#L35

To use SSL you'll need to change that for WifiClientSecure - http://arduino-esp8266.readthedocs.io/en/latest/esp8266wifi/client-secure-class.html

[sw-tt-chandershekharsuthar]

Thank @knolleary for your replay, I will try to get that all way and hope this time I'll found my destination

[skorokithakis]

Is there a full-fledged example for this? I'm not seeing how the WifiClientSecure relates to the MQTT connection, since that's a different layer. I'm very interested in connecting to my MQTT instance over TLS, I'm just not sure what the tradeoffs are regarding CPU usage, memory, etc.

[swdn]

Is there a full-fledged example for this? I'm not seeing how the WifiClientSecure relates to the MQTT connection, since that's a different layer. I'm very interested in connecting to my MQTT instance over TLS, I'm just not sure what the tradeoffs are regarding CPU usage, memory, etc.

I have the same question. Can someone clarify this topic?

[djmaze]

While I don't have a full-fledged example I can publish, here is a gist. I might extract a working version from my project sometime:

BearSSL::WiFiClientSecure espClient;

// Set x509 CA root (must match server cert)
const char *x509CA PROGMEM = R"EOF("
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
")EOF";
BearSSLX509List x509(x509CA);
espClient.setTrustAnchors(&x509);

// Set current time (otherwise certs won't work)
now = [...]
espClient.setX509Time(now);

client = PubSubClient(espClient);
client.setServer("mqtt.[...]", 8883);
// client.connect([...])

I am using the Time library in order to get the current time via NTP.

The whole process does not work reliably on my ESP8266. Sometimes it does not boot up correctly because it is out of memory (I believe). This probably happens because the SSL library has high resource requirements. SSL/TLS calculations are maxing out the ESP8266 capabilities, it seems.

UPDATE: You can use the Let's encrypt root CA certificate in the example above. So the client will be able to connect to any MQTT server with a LE certificate.

[slavino]

Not sure if it helps but I'm using "TinyGsmClientSecure" for SIM800 with ESP32 (T-Call board from TTGO) with a signed&trusted certificate from "Let's encrypt". In this case it simply works and no additional hacks are needed. Whenever possible I try to prevent self-signed certs in production.

[VXConsulting]

Not sure if it helps but I'm using "TinyGsmClientSecure" for SIM800 with ESP32 (T-Call board from TTGO) with a signed&trusted certificate from "Let's encrypt". In this case it simply works and no additional hacks are needed. Whenever possible I try to prevent self-signed certs in production.

HI,

Can you share your code because I am lost trying to connect to Azure IOT Hub.

Regards,

[programmer131]

Is there a full-fledged example for this? I'm not seeing how the WifiClientSecure relates to the MQTT connection, since that's a different layer. I'm very interested in connecting to my MQTT instance over TLS, I'm just not sure what the tradeoffs are regarding CPU usage, memory, etc.

here is a simple sketch, MQTT over TLS, demonstration: https://youtu.be/IFFwjumkqvs code: https://github.com/programmer131/ESP8266-gBridge-TLS

[AdamMiltonBarker]

@djmaze

UPDATE: You can use the Let's encrypt root CA certificate in the example above. So the client will be able to connect to any MQTT server with a LE certificate.

This doesn't seem to be the case anymore, I was using the CA and it was working fine then it just stopped working, I can only connect to my broker using the fingerprint now.

[Charry2014]

Hello everyone - I stumbled across this while debugging a similar issue - you may find a more-or-less full fledged example in my repository ESP8266_MQTT

[Mohamed-ali1998]

@slavino Can you share code which you have implemented SSL part.

[Mohamed-ali1998]

Not sure if it helps but I'm using "TinyGsmClientSecure" for SIM800 with ESP32 (T-Call board from TTGO) with a signed&trusted certificate from "Let's encrypt". In this case it simply works and no additional hacks are needed. Whenever possible I try to prevent self-signed certs in production.

@slavino Can you share code which you have implemented mqtt over SSL with sim800.

[ArihantJn14]

Not sure if it helps but I'm using "TinyGsmClientSecure" for SIM800 with ESP32 (T-Call board from TTGO) with a signed&trusted certificate from "Let's encrypt". In this case it simply works and no additional hacks are needed. Whenever possible I try to prevent self-signed certs in production.

Hey, I need help. How did you set certificate with tinyGsmClientSecure. could you share some code or something

[dlyckelid]

Not sure if it helps but I'm using "TinyGsmClientSecure" for SIM800 with ESP32 (T-Call board from TTGO) with a signed&trusted certificate from "Let's encrypt". In this case it simply works and no additional hacks are needed. Whenever possible I try to prevent self-signed certs in production.

Hey, I need help. How did you set certificate with tinyGsmClientSecure. could you share some code or something

Hi!

I use SSLClient as a "wrapper" and it works for WiFi, TinyGSM and Ethernet on esp32. I made a ConnectionService class that provides a Client to the PubSubClient that is the SSLClient and depending on the configuration on the device it could be one of the 3 different types of connections. I had to make some small changes in SSLClient just to get the correct buffersizes for the different clienttypes but other than that it works like a charm.

[Amila999]

While I don't have a full-fledged example I can publish, here is a gist. I might extract a working version from my project sometime:

BearSSL::WiFiClientSecure espClient;

// Set x509 CA root (must match server cert)
const char *x509CA PROGMEM = R"EOF("
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
")EOF";
BearSSLX509List x509(x509CA);
espClient.setTrustAnchors(&x509);

// Set current time (otherwise certs won't work)
now = [...]
espClient.setX509Time(now);

client = PubSubClient(espClient);
client.setServer("mqtt.[...]", 8883);
// client.connect([...])

I am using the Time library in order to get the current time via NTP.

The whole process does not work reliably on my ESP8266. Sometimes it does not boot up correctly because it is out of memory (I believe). This probably happens because the SSL library has high resource requirements. SSL/TLS calculations are maxing out the ESP8266 capabilities, it seems.

UPDATE: You can use the Let's encrypt root CA certificate in the example above. So the client will be able to connect to any MQTT server with a LE certificate.

Hi, Do you have any code that could submit the client certificates to the MQTT server? I tried

BearSSL::WiFiClientSecure wifiClient;
PubSubClient client(wifiClient);

wifiClient.setClientRSACert(&certList, &privateKey);
client.setServer(mqtt_server, mqtt_port);

But, this didn't sent certificates