Could you derive from that work a MQTT relay too?

[rin67630]

Thousands, maybe millions of Tasmota devices, based on ESP8266 cannot issue encrypted MQTT messages. This is a huge security issue. The devs there cannot provide encryption on these small devices (beside all the stuff they provide else). That is just too much for a limited ESP8266. So the policy of Tasmota is: remain inside your LAN.

If we had a MQTT relay on another ESP8266 inside the LAN, that can get plain MQTT messages on port 1883 to forward them encrypted to port 8883 of an external broker, we would have a safe way to get www.

Could you derive from your wonderful work a MQTT relay too? (If it were not too complicated...).

Regards.

Laszlo

[mlesniew]

Hey Laszlo,

I'm not sure what you're asking.

If you'd like to use PicoMQTT to build a MQTT bridge to forward messages from LAN to an external broker, have a look at #26.

If you'd like to use PicoMQTT to set up a secure mqtts connection (aka MQTT over TLS), you can achieve that using WiFiClientSecure:

WiFiClientSecure client;
PicoMQTT::Client mqtt(client, "some.mqtt.server.com");

void setup() {
    // TODO: don't forget to initialize client with TLS settings as usual
    mqtt.begin(); 
}

void loop() {
    mqtt.loop()
}

[rin67630]

Thank you Michal for that super-fast reply. :-) Yes It should be a relay from LAN to an external broker. #26 were the begin of a solution. I cannot however find in that example any port definition, nor switches for TLS encryption. How to define that it should receive plain MQTT on port 1883 from the LAN and forward TLS encrypted MQTT on port 8883 to the broker in the "Wild West Web" and vice-versa?

I am sorry to bother you if it is trivial, but that isn't clear to me at all...

Using WiFiClientSecure client; before calling PicoMQTT::Client mqtt(client, "some.mqtt.server.com"); appears to be something global valid for the whole ESP device, so either everything is secure or nothing, right?

Is that even doable on an ESP?

Regards from Essen, Germany.

[rin67630]

Maybe upon switching between secure and insecure? Something like client.setInsecure(); like described in [(https://github.com/tuan-karma/ESP32_WiFiClientSecure/blob/main/examples/WiFiClientInsecure/WiFiClientInsecure.ino)] It is not clear to me what it really does, just accept non-cyphered communication as well?

so if we start with WiFiClientSecure() and then client.setInsecure(); we could bridge between TLS and plain?

But the question remains: how to specify the ports?

[mlesniew]

To use TLS you have to create WiFiClientSecure and tell PicoMQTT::Client to use it, as in the example I gave above.

Don't forget to configure it with certs or a fingerprint for the server you want to use. You may need to sync time (e.g. with NTP) to get this working. However, the configuration is the same as usual for any TLS connection.

AFAIK calling setInsecure() will make your client make connections ignoring security. It will use the TLS protocol, but will accept any certificates provided by servers without checking them. This can be dangerous on the internet.

Note that the file you linked seems to be for ESP32, not ESP8266, so the API can be different.

Now to configure custom ports or other details, use the server and client constructor's optional parameters. They're defined here:

• https://github.com/mlesniew/PicoMQTT/blob/master/src/PicoMQTT/server.h#L170
• https://github.com/mlesniew/PicoMQTT/blob/master/src/PicoMQTT/client.h#L74

Here's a draft of the code:

#include <PicoMQTT.h>

WiFiClientSecure secure_socket;
PicoMQTT::Client mqtt(secure_socket, "some.mqtt.server.com", 8883);
PicoMQTT::Server server(1883);

void setup() {
    // TODO: configure secure_socket as usual for TLS connections secure_socket.setFingerprint(...) or secure_socket.setTrustAnchors(...) 

    server.subscribe("#", [](const char * topic, const char * message) {
        client.publish(topic, message);
     });

    client.subscribe("#", [](const char * topic, const char * message) {
        server.publish(topic, message);
    });
}

void loop() {
    client.loop();
    server.loop();
}

[rin67630]

Thank you very much, Michal, I appreciate your patience. It will take some time for me to dig into all that new stuff. So an ESP device configured with WiFiclientsecure would accept an unencrypted MQTT on port 1883 too? I will try that and return later with hopefully a success report....

[mlesniew]

@rin67630 to answer your question:

So an ESP device configured with WiFiclientsecure would accept an unencrypted MQTT on port 1883 too?

In the example from my last message I'm creating two MQTT objects:

• a PicoMQTT::Client object -- this one connects to the upstream server. It can only use TLS, because it's used with a WiFiClientSecure socket.
• a PicoMQTT::Server object -- this is the local server only listening on port 1883. It won't accept connections on any other port and it won't use TLS.

You could configure the PicoMQTT::Server to accept connections on different ports, with and without TLS, using the (multiserver approach)[https://github.com/mlesniew/PicoMQTT?tab=readme-ov-file#multiserver].

[ludovic-79]

Hi ! @mlesniew : Do you have an example for Server with TLS ?

[mlesniew]

@ludovic-79 sorry, I have no example for a MQTTS server right now.

Preparing such example is problematic, because currently only ESP8266 has a WiFiServerSecure class, so an example wouldn't work with ESP32.

You can, however, check out the examples in the https://github.com/mlesniew/PsychicWebSocketProxy repo. The library allows using PicoMQTT via a websocket with the PsychicHTTP library. Secure (TLS) websockets are supported too.

[justbendev]

@rin67630 What's important to note here is that the ESP8266 does have classes implemented to support TLS/SSL. Tasmota actually also support TLS but it's disabled by default to be as lightweight as possible.

You can enable TLS back by adding a define or by using build flags. Its explained here Tasmota TLS Secured MQTT

Even if the whole forwarding thing is not necessary because you could just update the firmware with tls support. There is better suited and more elegant solutions if you want to forward mqtt messages to a MQTTS (tls) server. The easiest and cheapest is an old router with OpenWrt flashed, then you can use mosquitto-ssl or nanomq to create a local server and forward everything to a mqtts server.

Have a great day :+1:

[rin67630]

Even if the whole forwarding thing is not necessary because you could just update the firmware with tls support. There is better suited and more elegant solutions if you want to forward mqtt messages to a MQTTS (tls) server. The easiest and cheapest is an old router with OpenWrt flashed, then you can use mosquitto-ssl or nanomq to create a local server and forward everything to a mqtts server.

I have solved that problem with my ESP8266 bridge: https://github.com/rin67630/Tasmota-thinger.io-bridge. It even does streamline up to 4 Tasmota devices into one meta-device and forward all data TLS secured to my dashboard.