Integrating TLS in an example sketch for AWS IoT service?

[synaptic-axon]

Hello,

I'd like to use this library with an arduino sketch talking to the AWS IoT service that requires TLS. I'm curious if you have any example code that you could include in the library examples to accomplish this.

Currently, I'm doing system() calls to the mosquitto_pub CLI binary from the sketch on an Intel Edison/Galileo dev board but I'd much rather use this library, especially as I migrate to the esp8266.

Thank you!

[knolleary]

Hi, no I don't have any such example, but I would welcome one if it is possible to do. I primarily use this client on arduino-based platforms where TLS simply isn't an option. Obviously the Edison/Galileo boards are more capable - but I don't know if you can create TLS connections from sketches created in the arduino IDE.

[synaptic-axon]

Alright, thanks for the quick response. I'll see what I can cook up and try to contribute an example. I'm a bit new at this though...

[tomkcook]

AFAICT, you should be able to take the mqtt_esp8266 example and substitute the WiFiClientSecure class in place of the WiFiClient class and it should just work. I haven't had a chance to try it out, though!

[tomkcook]

Of course it won't verify the server. But it should connect. And if you've got the fingerprint of your MQTT server's certificate, you can use WiFiClientSecure::verify() to verify it.

[Suxsem]

I just tried WiFiClientSecure instead of WiFiClient and the sketch compiles just fine. I can't flash it soon because I lost my esp8266 and I'm waiting for a new one, I hope someone can confirm that WiFiClientSecure works with pubsubclient :)

[chaeplin]

WiFiClientSecure do work with pubsubclient. But WiFiClientSecure supports only tls1.0 and tls1.1. Clients must support tlsv1.2 to use AWS IoT.

I have tested tlsv1.2 using mosquitto with esp8266 and could not connect.

testing code with mosquitto(tlsv1.1 / user / pass) and esp8266(ca.crt is not used, verify finger print of server cert) --> works and been running 1 day now without prob. 20K memory is used by WiFiClientSecure.

https://gist.github.com/chaeplin/3223074601733fa46d4a sample code

ref: https://github.com/esp8266/Arduino/issues/889 mqtt and aws https://github.com/esp8266/Arduino/issues/43 SSL support

[Suxsem]

wow great info, thanks!

[tomkcook]

I've also got this working, I guess using TLSv1.1 and a Mosquitto server that I host myself. But using client certificates causes a crash. I've used openssl to create the server and client keys and certificates and signed them using my own CA. Then I've converted the client key and certificate to a C array form like this:

openssl enc -d -a client.key > client.bin.key
openssl enc -d -a client.crt > client.bin.crt
xxd -i client.bin.key > client_key.h
xxd -i client.crt.key > client_crt.h
cat client_*.h > certificates.h

Then in my sketch I've done this:

WiFiClientSecure espClient;
PubSubClient mqtt(espClient);
#include "certificates.h"

void setup() {
    // ... wifi setup goes here ...
    espClient.setCertificate(client_bin_crt, client_bin_crt_len);
    espClient.setPrivateKey(client_bin_key, client_bin_key_len);

    mqtt.setServer(mqtt_server, 8883);
    mqtt.setCallback(mqtt_cb); // Defined elsewhere
}

void reconnect() { /* As per the ESP8266 example */ }

void loop() {
    if(!mqtt.connected()) {
        reconnect();
    }
    mqtt.loop();
}

This works fine until I enable the require_certificate option in Mosquitto, then it causes a crash on the ESP8266. I'm not exactly sure where the crash happens, but it's before the connection to mosquitto is complete. When I say crash, the following appears on the serial console:

Soft WDT reset

ctx: cont
sp: 3fff1a00 end: 3fff1f20 offset: 01b0

>>>stack>>>
... stack data here ...
<<<stack<<<

 ets Jan   8 2013,rst cause:2, boot mode:(3,6)

load 0x4010f000, len 1264, room 16
tail 0
chksum 0x42
csum 0x42
~ld

I've checked that I can connect to mosquitto with certificates required using the Python Paho client, so the problem seems to be on the ESP8266 / PubSubClient end. I'm not sure how best to debug this, but I'll start looking at it.

[tomkcook]

This of course is a watchdog timeout. You can disable the software watchdog with ESP.wdtDisable() for the duration of the reconnect() call, but the hardware watchdog goes too. In my case, changing the CPU frequency to 160MHz was enough to make this fast enough to successfully connect to Mosquitto using a client certificate; YMMV.

[chaeplin]

@tomkcook I have following error with setCertificate and setPrivateKey ( require_certificate true in mosquitto)

1453566273: New connection from 192.168.10.112 on port 8883.
1453566273: OpenSSL Error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:
peer did not return a certificate
1453566273: Socket error on client <unknown>, disconnecting.

edited http://bbs.espressif.com/viewtopic.php?f=7&t=1639

[tomkcook]

That seems to be a fairly generic mosquitto error, but one thing that can cause it is if your certificates are correct but you don't provide a valid username/password when connecting - either set allow_anonymous to true in the mosquitto conf or create a user with mosquitto_passwd and provide the correct username and password.

[chaeplin]

@tomkcook with 'require_certificate flase', tlsv1.1 and username/password is woking. With 'require_certificate true', certificate error comes. I have changed CPU frequency to 160MHz, but same error.

[tomkcook]

Well, I guess there's a problem with your certificate! I'm no expert here, sorry. Is your client certificate signed with the CA certificate that mosquitto is configured with? Have you encoded the certificate correctly?

[chaeplin]

@tomkcook New CA generated, and tested using mosquitto_sub/1.4.7.

[noelgeorgi]

@tomkcook this is the mosquitto error i'm getting: * OpenSSL Error: error:14089087:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:cert length mismatch* with require_certificate true enabled and with it disabled and without loading any certificates and just using WiFiSecureClient along with usename and password pubsubclient connects to the MQTT broker (mosquitto) with some disconnections showing error OpenSSL Error: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure , which is not at all possible using other clients such as MQTTFx or pubsubclient_sub or pubsubclient_pub without providing the ca file

[harisbotic]

@tomkcook @noelgeorgi have you managed to solve the problem?

I did the same thing as you, and with MQTTFx client I am not in able to connect to mosquitto broker without providing valid ca certificate, and when I use WiFiSecureClient, and managing to connect to broker with and without a valid fingerprint of cert.

[tomkcook]

It Works For Me (TM). One thing I've found is that subscribing to more than one topic causes the client to hang and I haven't had time to investigate why. Here's how I'd approach debugging this:

• Make sure your ESP8266 is set to 160MHz.
• Make sure your certificates and username/password are correct.
• Create a sketch that just connects to the MQTT server and subscribes to one topic.
• If that all works, expand it into your actual sketch gradually.

I'm not sure when I'll get time to look at the multiple-subscriptions problem.

[jyotirajsharma]

Hi,

I installed Open SSL 32 or 64 bit version both and trying to run mosquito client and server over secure link. I did following steps :

1. Environment variable : set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg

2.First, we generate the CA certificate with the following command: openssl req -new -x509 -days 3650 -keyout m2mqtt_ca.key -out m2mqtt_ca.crt

3.At this point we can move on to the generation of a private key for the server and related certificate request must be signed by the CA. Regarding the generation of the private key, we can perform: openssl genrsa -des3 -out m2mqtt_srv.key 1024

4. Once this is done, let's move to the generation of the certificate request from the server to be signed by the CA. openssl req -out m2mqtt_srv.csr -key m2mqtt_srv.key -new

5.openssl x509 -req -in m2mqtt_srv.csr -CA m2mqtt_ca.crt -CAkey m2mqtt_ca.key -CAcreateserial -out m2mqtt_srv.crt -days 3650

Then, I created the file mosquitto_m2mqtt.conf in which the parameters to be changed are as follows in the section "Default Listener" and "Certificate based SSL / TLS support":

bind_address localhost port 8883 tls_version tlsv1 cafile C:/OpenSSL-Win32/bin/m2mqtt_ca.crt certfile C:/OpenSSL-Win32/bin/m2mqtt_srv.crt keyfile C:/OpenSSL-Win32/bin/m2mqtt_srv.key

Then, I am trying to run - In CMD window as-

mosquitto -c mosquitto_m2mqtt.conf -v

I get following error whenever I trigger subscribe request from another window --

1486 : mosquitto version 1.4.10 (build date 24/08/2016 21:03:24.73) starting 1486317027: Config loaded from mosquitto_m2mqtt.conf. 1486317027: Opening ipv6 listen socket on port 8883. 1486317027: Opening ipv4 listen socket on port 8883. Enter PEM pass phrase: 1486317034: New connection from 127.0.0.1 on port 8883. 1486317034: OpenSSL Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca 1486317034: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure 1486317034: Socket error on client , disconnecting.

Please help me to solve this. If this works fine, then I will be start implementing SSL with ESP as per above threads.

In another CMD window:

mosquitto_sub -h localhost -p 8883 -q 1 -t sensor/temp --cafile C:\OpenSSL-Win32\bin\m2mqtt_ca.crt --tls-version tlsv1 -d

[knolleary]

@jyotirajsharma sorry, you would be better off asking this on StackOverflow, or the mosquitto mailing list.

[tomkcook]

@jyotirajsharma As knolleary says, this is not really the place. However, see https://nofurtherquestions.wordpress.com/2016/03/14/making-an-esp8266-web-accessible/ for a fairly complete description of how to get this working.

One immediate thing I notice is that you're missing -extensions v3_ca on the openssl commandline when generating your CA certificate, which I think could lead to the error you are seeing.

[tomkcook]

Might be best to have this discussion in the blog comments, though.

[jyotirajsharma]

Hi, Sorry for posting this here.

Thank you for sharing this information. I am still getting exact same error even after applying commands suggested by you.

Please let me know where can I post my queries that becomes visible to you so that we further discuss there.

Thanks,

[jyotirajsharma]

Please help to reply this. http://stackoverflow.com/questions/42081153/tls-error-occured-while-trying-to-connect-mqtt-client-over-secure-tls

[marihanGirgis]

i can't find WiFiClientSecure lib zip file or at arduino mange board how can i include it ?

[tomkcook]

It's in the esp8266 board support package.

[KillerKrapfen]

Hi, I'm trying to use PubSub and WifiClientSecure with TLS (only with v1 or v1.1, because WiFiSecure does'nt support v1.2).

I'v extracted the certificate content and converted it to a binary string (.crt and .key in the certificates.h). It's the same as @tomkcook did.

I'v also tested my mosquitto server and its config (with mosquitto_pub and mosquitto_sub --> with those it always works) with different settings:

• TLS versions: v1, v1.1
• with username and password (also with allow_anonymous false when using username and password)
• also require_certificate true/false.

But nothing of the different testing vectors/mosquitto settings led to a successful connection/interaction with my MQTT-Broker on my RaspberryPi 3.

Whatever mosquitto settings used the esp8266 board reboots after trying to connect with the mqtt broker (I see it in the logfile --> New connection from 192.168.42.12 on port 8883)

I used the Basic ESP8266 MQTT example (first without any TLS --> mosquitto running on port 1883) and all worked fine. But since I activate TLS (port 8883) with the settings and its combinations (as mentioned above), the board crashes and reboots and tries to make a new connection.

I also tried only to subscribe to one topic as @tomkcook suggested and running the board with 160MHz --> still the same issue

Here is the Code:

#include <ESP8266WiFi.h>
#include <PubSubClient.h>
#include "certificates.h"

// Update these with values suitable for your network.
// Change the credentials below, so your ESP8266 connects to your router
// WiFi parameters
const char* ssid = "WiFi-Network";
const char* password = "password123"; //created with KeePassX
const char* mqtt_server = "192.168.0.23";

WiFiClientSecure espClient;
PubSubClient client(espClient);
long lastMsg = 0;
char msg[50];
int value = 0;

void setup_wifi() {

  delay(10);
  // We start by connecting to a WiFi network
  Serial.println();
  Serial.print("Connecting to ");
  Serial.println(ssid);

  WiFi.begin(ssid, password);

  while (WiFi.status() != WL_CONNECTED) {
    delay(500);
    Serial.print(".");
  }

  randomSeed(micros());

  Serial.println("");
  Serial.println("WiFi connected");
  Serial.println("IP address: ");
  Serial.println(WiFi.localIP());
}

//void callback(char* topic, byte* payload, unsigned int length) {
//  Serial.print("Message arrived [");
//  Serial.print(topic);
//  Serial.print("] ");
//  for (int i = 0; i < length; i++) {
//    Serial.print((char)payload[i]);
//  }
//  Serial.println();
//
//  // Switch on the LED if an 1 was received as first character
//  if ((char)payload[0] == '1') {
//    digitalWrite(BUILTIN_LED, LOW);   // Turn the LED on (Note that LOW is the voltage level
//    // but actually the LED is on; this is because
//    // it is acive low on the ESP-01)
//  } else {
//    digitalWrite(BUILTIN_LED, HIGH);  // Turn the LED off by making the voltage HIGH
//  }
//
//}

void reconnect() {
  // Loop until we're reconnected
  while (!client.connected()) {
    Serial.print("Attempting MQTT connection...");
    // Create a random client ID
    String clientId = "ESP8266Client-";
    clientId += String(random(0xffff), HEX);
    // Attempt to connect
    if (client.connect(clientId.c_str(), "admin", "admin")) {
      Serial.println("connected");
      // Once connected, publish an announcement...
//      client.publish("outTopic", "hello world");
      // ... and resubscribe
      client.subscribe("inTopic");
    } else {
      Serial.print("failed, rc=");
      Serial.print(client.state());
      Serial.println(" try again in 5 seconds");
      // Wait 5 seconds before retrying
      delay(5000);
    }
  }
}

void setup() {
  pinMode(BUILTIN_LED, OUTPUT);     // Initialize the BUILTIN_LED pin as an output
  Serial.begin(115200);
  setup_wifi();
  espClient.setCertificate(esp8266_bin_crt, esp8266_bin_crt_len);
  espClient.setPrivateKey(esp8266_bin_key, esp8266_bin_key_len);
  client.setServer(mqtt_server, 8883);
//  client.setCallback(callback);
}

void loop() {

  if (!client.connected()) {
    reconnect();
  }
  client.loop();

//  long now = millis();
//  if (now - lastMsg > 2000) {
//    lastMsg = now;
//    ++value;
//    snprintf (msg, 75, "hello world #%ld", value);
//    Serial.print("Publish message: ");
//    Serial.println(msg);
//    client.publish("outTopic", msg);
//  }
}

Here is the error output:

Connecting to WiFi-Network
....
WiFi connected
IP address: 
192.168.42.12
Attempting MQTT connection...
Exception (3):
epc1=0x4020be43 epc2=0x00000000 epc3=0x00000000 excvaddr=0x40246430 depc=0x00000000

ctx: cont 
sp: 3fff0220 end: 3fff0ab0 offset: 01a0

>>>stack>>>
3fff03c0:  1d687b6b fd96d4ed dcd9d0ec 8d490006  
3fff03d0:  0153511a 3fff0460 3fff06d0 3fff3b58  
3fff03e0:  3fff0420 3fff61fc 3fff4612 4021f5e3  
3fff03f0:  3fff07b8 00001498 00000000 3fff0420  
3fff0400:  00000000 30090000 3fff4612 3fff3b58  
3fff0410:  00000000 3fff61fc 3fff4612 40217e7c  
3fff0420:  dcc8a2f5 8dd3dd89 4e79c51f ffd7e9c5  
3fff0430:  f8f68889 c36d1b1a 771054ff f307561b  
3fff0440:  c850eb2e 704ea7d6 f6319705 c0366c23  
3fff0450:  739d769f 377b4550 04f14b9a b2522ebb  
3fff0460:  9e0e809b 060c3088 131d5503 03300504  
3fff0470:  20ff0101 c54be922 b2017cad fba55b0a  
3fff0480:  4ff123cf c4b23540 2996ad92 858535f9  
3fff0490:  95d24d8d 778e5805 02030100 09f337ef  
3fff04a0:  4e301d06 01a35030 04160414 03551d0e  
3fff04b0:  96853c38 48ca90ac 164be29b a97dd382  
3fff04c0:  301f0603 800e9e88 18301680 551d2304  
3fff04d0:  ac96853c 1448ca90 82164be2 38a97dd3  
3fff04e0:  ed88db5e 7a44461a 2a78aa5f fa1f5faf  
3fff04f0:  0d549c33 8948ed94 cde25a4c 6e2245d6  
3fff0500:  2ef659d4 c6ffac26 17240594 0c10e9da  
3fff0510:  e27df111 b4f76be6 339e3954 6b1058e8  
3fff0520:  edcaa271 2cbcd585 078665d4 475e2dca  
3fff0530:  d4d948a7 364cc127 9736563f 2a5b7a9c  
3fff0540:  e9314192 d23d1c3c 872afae9 d8e2a748  
3fff0550:  af6b3273 3808b8b8 19764f55 643ecee6  
3fff0560:  e84548c0 0b8f8242 441b077b 1037f160  
3fff0570:  7bf50c65 2491d9c5 94003124 d7a46fbc  
3fff0580:  0d4bdbe7 b78ec725 004dd204 c719c591  
3fff0590:  441f5142 40404c2f 13941859 df5e5e65  
3fff05a0:  24208204 1d86e3bc c8af72a0 22f16f1a  
3fff05b0:  64df025c b4460785 d9e0970f d5a7c42f  
3fff05c0:  7736d888 de1a08d9 f27531b8 c4f87de7  
3fff05d0:  87013a09 27d37069 f48de460 ca881aa0  
3fff05e0:  23cf4e55 3af27c79 c059ad03 a78a43aa  
3fff05f0:  9b0c281e 879706ca d6a291ed fe4aaa1b  
3fff0600:  45bb7048 9ef2c850 ea20155b f55fe27d  
3fff0610:  95734cd8 5e7bcf1d 68c71f00 d0b7e8a6  
3fff0620:  d3b4912d 116d67c2 c40da448 17a5c036  
3fff0630:  122dffe1 b048e5a1 331a0ad4 65034b38  
3fff0640:  3c166028 ee255a64 126d55c5 26caf2f7  
3fff0650:  66339c6a bb3e4a1c f44465b8 409fc3c5  
3fff0660:  1090d0f5 cc59fa6e 323d3037 3d61cced  
3fff0670:  98d9e935 7ba1ea08 01893b07 41477fe7  
3fff0680:  a5446db3 483544f8 bc0d0265 d4dba369  
3fff0690:  c8bbe1b5 d5825b1e dafb95c0 4859b6b8  
3fff06a0:  b4dac16b 662bae35 c9687277 fd913054  
3fff06b0:  6b533d22 40a7b999 c91a2e96 ec8a8ce2  
3fff06c0:  502b0835 7caa3e74 85461739 54d4469a  
3fff06d0:  0d44982a 21cc374a 2c8ff16c 1e59d88a  
3fff06e0:  00000013 3ffed698 00000293 00000000  
3fff06f0:  00000140 00000000 2672ab24 7d7b99c7  
3fff0700:  f4a8ec77 5ce1de30 7d83abee 666d5172  
3fff0710:  d54f03d9 cd937ca9 7c01b20a 35b2c4ad  
3fff0720:  23f14f40 358585cf ad9629f9 588e7792  
3fff0730:  4dd29505 37f3098d 010302ef 00800100  
3fff0740:  00000000 00000000 00000000 00000000  
3fff0750:  00000000 30090000 1c68d677 b039eedb  
3fff0760:  2ad9b72d dc9f521a dfe5fe78 00000000  
3fff0770:  00000000 00000000 00000000 00000000  
3fff0780:  00000000 00000000 00000000 00000000  
3fff0790:  00000000 00000000 00000000 00000000  
3fff07a0:  00000000 00000000 00000000 00000000  
3fff07b0:  00000000 b1d10000 e658aa25 a908ef3c  
3fff07c0:  45c45646 dbbe3b3b 820df8ac e169eb25  
3fff07d0:  321d28b4 8b35f218 1be15058 fe410b6e  
3fff07e0:  2e9d8d46 f8f63957 20ccec9b 78641e52  
3fff07f0:  5eb037ad 01e4c3ba 00000278 00000258  
3fff0800:  000003b7 00000002 000003ab 00000245  
3fff0810:  00000297 a5449d64 d5ff283d a0c01788  
3fff0820:  3fff0800 00000004 0000011f 00000000  
3fff0830:  00000000 3fff6a4c 5e030b5f 00000900  
3fff0840:  3fff40b1 00000008 00000561 00000001  
3fff0850:  3fff3b58 3fff40b1 00000561 40215919  
3fff0860:  00000905 3fff1f54 0000090c 3fff3b54  
3fff0870:  3fff5b84 00000007 00860011 3fff1fa8  
3fff0880:  000003ab 2e66dba2 cadbf9dd 32561dcd  
3fff0890:  4f96d134 6ec3fe55 ee0080e3 0000090c  
3fff08a0:  3fff40b1 0000090c 3fff1f54 40216f5a  
3fff08b0:  e52afce9 fcb6136a 372f77c5 f01ead8b  
3fff08c0:  161e7b39 2fcd21a2 4daf0319 ffb9f4aa  
3fff08d0:  adb43948 30588dc8 4139236e 7dac9906  
3fff08e0:  3dbe2e9c 3fff2084 3fff2044 00000880  
3fff08f0:  0000090c 3fff4988 00000034 3fff2084  
3fff0900:  3fff40b1 0000090c 3fff1f54 0000090c  
3fff0910:  3fff40b1 0000090c 3fff1f54 402169a4  
3fff0920:  37cb220f 3fff1c88 00000000 00000029  
3fff0930:  0000005e 3fff40b1 3fff1f54 40216d80  
3fff0940:  0000000c 3fff40e4 3fff1f54 401004d8  
3fff0950:  3fff09a0 0000000b 00000010 00000000  
3fff0960:  00000000 3fff1c54 3fff1f54 01000000  
3fff0970:  3fff09a0 3fff1374 3fff1f54 40216b0c  
3fff0980:  3ffef7fc 3fff1374 3ffef7fc 00001387  
3fff0990:  00000834 3fff1374 3ffef7fc 4020357d  
3fff09a0:  3ffef7fc 00000000 3fff1d3c 40202c3e  
3fff09b0:  3fff1d3c 3fff1c84 000004a8 00000000  
3fff09c0:  000022b3 3ffef7fc 3ffe91e8 00000000  
3fff09d0:  000022b3 3ffef7fc 3ffe91e8 40203779  
3fff09e0:  3ffe9560 1700a8c0 3ffe9560 1700a8c0  
3fff09f0:  3ffe91a8 3ffef740 00000000 40203aa1  
3fff0a00:  00000020 3fff0a6c 3fff0a6c 4020437f  
3fff0a10:  3ffe91a8 3fff3b2c 00000000 402043cb  
3fff0a20:  3ffefa38 0000050a 0000050a 3ffefa84  
3fff0a30:  3fffdad0 3ffef740 3ffefa58 40203bf0  
3fff0a40:  00000000 00000000 3ffefa58 40204324  
3fff0a50:  3fffdad0 3ffef740 3ffefa58 40202186  
3fff0a60:  00000000 00000000 00000000 3fff3b2c  
3fff0a70:  0000001f 00000012 3ffef740 40204978  
3fff0a80:  3fffdad0 00000000 3ffef740 4020226a  
3fff0a90:  feefeffe feefeffe 3ffefa7d 4020466c  
3fff0aa0:  feefeffe feefeffe 3ffefa90 4010070c  
<<<stack<<<

 ets Jan  8 2013,rst cause:2, boot mode:(3,6)

load 0x4010f000, len 1384, room 16 
tail 8
chksum 0x2d
csum 0x2d
v00000000
~ld

Thanks in advance.

[tedder]

Tagging onto this with the ESP32. It should support it nicely, but doesn't; fails with rc=-2, using a sketch very similar to the above.

[eLement87]

Hey Guys,

after couple of days i've got my ESP8266 working with Client certificates and secure authentication.

Arduino IDE v. 1.8.5 ESP8266-Arduino 2.4.0-rc2 PupSubClient 2.6.0 Mosquitto version 1.4.14

ESP8266 NodeMCU 0.9 Clockspeed: 160mhz

First i created a CA and a server certificate with the help from the Mosquitto Manual

/etc/mosquitto/mosquitto.conf

listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/mqttserver.crt
keyfile /etc/mosquitto/certs/mqttserver.key
require_certificate true
use_identity_as_username true

Then i created a client certificate and privatekey - exported both to *.DER

Client Certificate openssl x509 -in /etc/mosquitto/certs/client.crt -out /etc/mosquitto/certs/clientcrt.der -outform DER

Client Certificate openssl rsa -in /etc/mosquitto/certs/client.key -out /etc/mosquitto/certs/clientkey.der -outform DER

Don't forget to export the CA too openssl x509 -in /etc/mosquitto/ca_certificates/ca.crt -out /etc/mosquitto/ca_certificates/ca.der -outform DER

Next you have to upload these three Files to the SPIFFS of your ESP. Download the newest version from: https://github.com/esp8266/arduino-esp8266fs-plugin

Place the cert, privatekey and the ca in your data folder of your sketch and upload the files

At least you can upload the sketch: https://gist.github.com/eLement87/133cddc5bd0472daf5cb35a20bfd811e

At the moment i'm not able to verify the fingerprint of my server. The function is implemented in the sketch but not "activated". I don't know why but i think the reason for that is my certificate is self signed.

With a Let's Encrypt Certificate i'm able to verfiy the fingerprint.

Anyway the client authentificates with a cert and the connection is secure with TLS1.2 with port 8883.

[gmag11]

Current ESP8266 Arduino core supports TLSv1.2. Here you can find an example using CA certificate for server verification. https://github.com/espressif/arduino-esp32/blob/master/libraries/WiFiClientSecure/examples/WiFiClientSecure/WiFiClientSecure.ino

[woodz-]

@gmag11: I guess you used a client certificate which can be generated by openssl as described in the mosquitto manual, right? If so, it must be working with self signed certificates, right?

[marcoavaccaro]

Hello guys, i'm trying to connect to AWS wich request:

wifiClient.loadCACert(ca); wifiClient.loadCertificate(client_cert); wifiClient.loadPrivateKey(client_key);

Via wifi i can do it with no problems. But the ethernet library present on arduino do not have these 3 classes above.

Someone know how to connect to AWS via ethernet shield using ESP32?