Webserver with https ?

[ArminPP]

Is there a possibility to operate the awot web server based on https with WiFi and Ethernet ?

Thank you for some advice, Armin

[lasselukkari]

Kinda. On ESP8266 this already works but is extremely slow because of the limited processing power. Using it for sending credential is maybe ok, but anything else involving more bandwidth is just way too slow.

I have not verified the situation lately but last time I checked the ESP32 arduino core did not have the secure server implemented yet. Here is the open issue: https://github.com/espressif/arduino-esp32/issues/3902. It says "https server will be added in the next major version of Arduino".

To sum it up there is nothing preventing using the library with a secure server implementation. It works with any class derived from the Stream or Client.

[ArminPP]

I see, thank you for your explanation. So I'm waiting for the next Arduino release...

[ArminPP]

I am reopening this thread because unfortunately I have not found a solution to my problem.

I want to make the aWOT web server secure via WiFi and Ethernet, either by HTTPS or by server-side encryption.

At the moment I am using basic auth WebAPP.use(&auth); which is not really secure I presume... (And it does not secure the credentials)

---

• Variant A (HTTPS): I found a library that fulfills these conditions, however it does not provide a client stream. [https://github.com/fhessel/esp32_https_server_compat/issues/4#issuecomment-718863563]() I guess that is an exclusion criterion? (I was asking for help at the git of the developer, but unfortunately there has been no response yet.) By the way, the library uses a similar approach (?) as aWOT, unfortunately I don't know if this is useful ...

  void handleRoot(HTTPRequest * req, HTTPResponse * res) {
  // We want to deliver an HTML page, so we set the content type
  res->setHeader("Content-Type", "text/html");
  // The response implements the Print interface, so you can use it just like
  // you would write to Serial etc.
  res->println("<!DOCTYPE html>");
  (..)

• The second method, to only do the authentication from the aWOT web server with HTTPS, unfortunately fails due to my lack of knowledge, a small code snippet / tip would be very nice.

---

• Variant B (encryption): I wrote the credentials from the aWOT webserver with LittleFS into the flash memory (instead of using the removeable SD-Card). Unfortunately all the data is unencrypted and can be read with Wireshark: (which was probably clear to every professional, but now also to me :-))

  0000   00 8c fa 87 d6 1c de ad be ef fe e1 08 00 45 00   ..............E.
  0010   00 c0 01 3f 40 00 80 06 7e 09 0a 02 33 80 0a 02   ...?@...~...3...
  0020   33 6c 00 50 14 f8 c0 a5 c5 e7 5c 15 9f 03 50 18   3l.P......\...P.
  0030   08 00 5d 4a 00 00 7b 22 53 53 49 44 22 3a 22 74   ..]J..{"SSID":"t
  0040   65 73 74 22 2c 22 57 69 46 69 50 61 73 73 77 6f   est","WiFiPasswo
  0050   72 64 22 3a 22 74 65 73 74 22 2c 22 44 48 43 50   rd":"test","DHCP
  (..)

So I tried to encrypt the data with AES, on ESP32 with https://github.com/kakopappa/arduino-esp8266-aes-encryption-with-nodejs and in aWOT with https://github.com/brix/crypto-js. This worked fine, however the key is unencrypted readable from the browser with the developer tools.

---

I would very much like to use HTTPS, or at least encrypt the most important data, but unfortunately I can't find a solution.

I am very grateful for any tip, link or advice on the solution, and I would also be very happy to see a completely new approach that I am not yet familiar with.

Thanks, Armin

[lasselukkari]

The version 2 of the esp32 arduino core is not out yet. Are you using the alpha version of the core?

Edit: The core issue is still open and the feature is not implemented. There is no really secure solution before the core supports the encrypted server connections. If you are just sending initial wifi credentials in AP mode the wifi connection itself should be encrypted.

[ArminPP]

That's a pity, I was still hoping for a workaround ;-) Now I have to be patient again ...