search

marvinroger / async-mqtt-client

📶 An Arduino for ESP8266 asynchronous MQTT client implementation
MIT License
836 stars 266 forks source link

SSL support for ESP32 #140

Open chessweb01 opened 5 years ago

chessweb01 commented 5 years ago

I'm porting my app from ESP8266 to ESP32. When I enable SSL the compiler tells me "tcp_axtls.h: No such file or directory".

Is that due to the fact that me-no-dev/AsyncTCP still doesn't support SSL?

tve commented 5 years ago

You are correct. If you're adventurous, you could try https://github.com/tve/async-mqtt-client See also https://github.com/me-no-dev/AsyncTCP/pull/43

OscarArgueyo commented 4 years ago

You are correct. If you're adventurous, you could try https://github.com/tve/async-mqtt-client See also me-no-dev/AsyncTCP#43

Is it possible to merge that fork with this repository? I know this is an old issue. We are still facing troubles when we try to connect our ESP32 over ssl with the ASYNC_TCP_SSL_ENABLED flag. The file tcp_axtls.h is still a missing dependencies even though that file is from the ESP8266 version of me-no-dev/ESPAsyncTCP

Thanks!

qwandor commented 4 years ago

Is there any update on this? Can the fork mentioned above be merged?

kfine100 commented 3 years ago

Is there an update on this? I need client SSL support only for the ESP32. I will try tve's branch, but the "if you're adventurous" comment does not inspire confidence!

luebbe commented 3 years ago

I guess the situation is still the same if interpret @bertmelis https://github.com/marvinroger/async-mqtt-client/issues/239#issuecomment-795288499 correclty

bertmelis commented 3 years ago

It's trivial to patch this lib (maybe we should?). Next, you'll have to use (for example) tve's fork of AsyncTCP, the correct branch.

I believe that's all to it. There is no certificate check though, so MITM is not covered.

kleini commented 3 years ago

Why does async-mqtt-client need a patch for SSL support for ESP32? That should be the responsibility of AsyncTCP or am I wrong here?

bertmelis commented 3 years ago

Why does async-mqtt-client need a patch for SSL support for ESP32? That should be the responsibility of AsyncTCP or am I wrong here?

It won't compile because the methods in AsyncTCP and ESPAsyncTCP are not the same. There is also no fingerprint checking available in AsyncTCP.

kleini commented 3 years ago

Thanks. I thought AsyncTCP is just the ESP32 equivalent of ESPAsyncTCP.

bertmelis commented 3 years ago

It is, but not the TLS part. (there are also some behavioural specifics)

kfine100 commented 3 years ago

I tried out tve's branch and I cannot even get it to compile! I am probably making an obvious error. If anyone could help I would appreciate it.

I am programming the ESP 32 on PlatformIO on Visual Studio. The Arduino framework. I have been using AsyncMQTTClient for a while and it works great. Now I am trying to get SSL going on my client (the ESP32).

So I changed to using tve's fork of async-mqtt-client along with his fork of AsyncTCP. I followed his instructions here

https://github.com/tve/AsyncTCP/tree/mbed-tls

including adding build_flags = -DASYNC_TCP_SSL_ENABLED=true to platformio.ini.

I get the compiler errors

In file included from .pio/libdeps/esp32dev/AsyncTCP/src/AsyncTCP.cpp:24:0: .pio/libdeps/esp32dev/AsyncTCP/src/AsyncTCP.h: In constructor 'AsyncClient::AsyncClient(tcp_pcb)': .pio/libdeps/esp32dev/AsyncTCP/src/AsyncTCP.h:77:11: error: 'AsyncClient::_root_ca' will be initialized after [-Werror=reorder] char _root_ca; ^ .pio/libdeps/esp32dev/AsyncTCP/src/AsyncTCP.h:76:12: error: 'size_t AsyncClient::_root_ca_len' [-Werror=reorder] size_t _root_ca_len; ^ .pio/libdeps/esp32dev/AsyncTCP/src/AsyncTCP.cpp:411:1: error: when initialized here [-Werror=reorder] AsyncClient::AsyncClient(tcp_pcb* pcb)

Another odd thing is that tcp_mbedtls.c is greyed out is VS, even though the #if ASYNC_TCP_SSL_ENABLED shows true. I do not know if that is related but I do not understand it. This must be used, right?

I do not need to use certificates but will use pre-shared keys. Looks like I will need to call setPsk with the key, but I need to get it to compile first!

Thanks for any help, Kevin

luebbe commented 3 years ago

the [-Werror=reorder] error means that the parameters in the constructor are passed in a different order than they were defined in the .h file. This should normally be easy to fix by swapping the corresponding parameters in the constructor.

kfine100 commented 3 years ago

Thanks luebbe, you are right. Just switching the declarations in ASynchTCP.h like this

char* _root_ca;
size_t _root_ca_len;

and the errors went away. Also my "greyed" out problem in tcp_mbedtls.c was caused by defining DASYNC_TCP_SSL_ENABLED both in the code and in a build flag. I removed the definition and the gray went away (yay!).

I would like to encourage the authors to add the client PSK encryption into the master. A little more documentation would help, for example, which of these is supported?

CipherSuite Key Exchange Cipher Hash

TLS_PSK_WITH_RC4_128_SHA PSK RC4_128 SHA TLS_PSK_WITH_3DES_EDE_CBC_SHA PSK 3DES_EDE_CBC SHA TLS_PSK_WITH_AES_128_CBC_SHA PSK AES_128_CBC SHA TLS_PSK_WITH_AES_256_CBC_SHA PSK AES_256_CBC SHA

I am also wondering: is any of the ESP32 encryption hardware used? mbedtls looks to be pure software so maybe it can be sped up.

Once I get it working I will be glad to write up any details I learn. Encrypted MQTT is useful for a lot of Edge computing.

Kevin

bertmelis commented 3 years ago

I'm not not even remotely familiar with TLS. So can't answer these questions. However, if you needed to patch the MQTT client, I cordially invite you to create a PR in the develop branch.

kfine100 commented 3 years ago

Thanks, Bert.

If I get things up and running I will try to contribute something.

Kevin

Puntoboy commented 3 years ago

Any update on this? I really need to get MQTT working over SSL on my ESP32 using https://github.com/esphome/esphome which uses AsyncTCP.

kfine100 commented 3 years ago

I could never get SSL working with ASynch MQTT Client. It would work for a while, then crash. I finally changed over to the Arduino MQTT package. https://www.arduino.cc/reference/en/libraries/mqtt/

It uses WiFiClientSecure and works reliably with both PSK and certificates. I recommend it.

Kevin

bertmelis commented 3 years ago

I never really had a use case for secure MQTT on a ESP32. Now I have so I'm thinking about a solution here...

What about this: It'll be quite a change, but I could separate the MQTT API from the communication and have two different backends. One completely async for ESP8266 and one using the WiFiClient(Secure) for ESP32. The latter is blocking but can be put in a separate task so it doesn't block the main task. (that's actually what happens in the asynctcp for esp32 anyway) At the moment I'm only thinking abut it, haven't started yet.

Pablo2048 commented 3 years ago

Well, actually after 3.0.0 Core release for the ESP8266 the whole SSL thing with ESPAsyncTCP is broken down. Your solution for ESP32 is good, but I think that the best solution is to modify ESPAsyncTCP to use BearSSL, and to modify AsyncTCP to use ESP32 SSL library (if there is any). Maybe @Adam5Wu can give his suggestion here...

bertmelis commented 3 years ago

Ah, didn't know. I don't have the time to read myself into TLS so I can't update the async tcp libs.

kfine100 commented 3 years ago

Bert, let me give an up vote for implementing SSL. IoT devices are an entry point for attacks, so there is need for secure comms over the net with the ESPs. It would be even better if we could get TLS 1.3. Maybe somebody can help with AsyncTCP and the Bear. There is also the Wolf https://www.wolfssl.com/wolfssl-esp32-hardware-acceleration-support/

Thanks, Kevin