How can i use my server certificates for TLS in MQTT Broker

[Darsh-Dev]

Hi,

Are there any steps that help me to use my server certificate during the TLS handshake in the MQTT broker example?

Thanks

[nopnop2002]

I don't know.

There is some code about TLS. Try one by one.

$ cd esp-idf-mqtt-broker/components/mongoose/example

$ grep -rn TLS *
esp8266/src/main/main.c:20:// To enable TLS for HTTP,
esp8266/src/main/main.c:22://   2. Add TLS init snippet for the connection, see examples/http-client
http-client/Makefile:6:ifneq ($(MBEDTLS),)
http-client/Makefile:7:CFLAGS += -DMG_ENABLE_MBEDTLS=1 -I$(MBEDTLS)/include -I/usr/include
http-client/Makefile:8:CFLAGS += -L$(MBEDTLS)/lib -lmbedtls -lmbedcrypto -lmbedx509
http-client/main.c:8:// To enable SSL/TLS for this client, build it like this:
http-client/main.c:9://    make MBEDTLS=/path/to/your/mbedtls/installation
http-client/main.c:23:    // If s_url is https://, tell client connection to use TLS
http-client/ca.pem:46:ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
http-proxy-client/Makefile:3:MBEDTLS_DIR ?=
http-proxy-client/Makefile:5:ifeq "$(MBEDTLS_DIR)" ""
http-proxy-client/Makefile:7:CFLAGS += -DMG_ENABLE_MBEDTLS=1 -I$(MBEDTLS_DIR)/include -I/usr/include
http-proxy-client/Makefile:8:CFLAGS += -L$(MBEDTLS_DIR)/lib -lmbedtls -lmbedcrypto -lmbedx509
http-proxy-client/main.c:8:// To enable SSL/TLS for this client, build it like this:
http-proxy-client/main.c:9://    make MBEDTLS_DIR=/path/to/your/mbedtls/installation
http-proxy-client/main.c:28:    // If target URL is SSL/TLS, command client connection to use TLS
http-proxy-client/ca.pem:46:ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
http-restful-server/Makefile:3:ifeq "$(MBEDTLS_DIR)" ""
http-restful-server/Makefile:5:CFLAGS += -DMG_ENABLE_MBEDTLS=1 -I$(MBEDTLS_DIR)/include -I/usr/include
http-restful-server/Makefile:6:CFLAGS += -L$(MBEDTLS_DIR)/lib -lmbedtls -lmbedcrypto -lmbedx509
http-restful-server/main.c:10:// To enable SSL/TLS (using self-signed certificates in PEM files),
http-restful-server/main.c:12://    2. make MBEDTLS_DIR=/path/to/your/mbedtls/installation
http-restful-server/main.c:22:    // If s_listen_on URL is https://, tell listening connection to use TLS
http-restful-server/server.pem:29:                TLS Web Server Authentication
http-reverse-proxy/Makefile:3:MBEDTLS_DIR ?=
http-reverse-proxy/Makefile:5:ifeq "$(MBEDTLS_DIR)" ""
http-reverse-proxy/Makefile:7:CFLAGS += -DMG_ENABLE_MBEDTLS=1 -I$(MBEDTLS_DIR)/include -I/usr/include
http-reverse-proxy/Makefile:8:CFLAGS += -L$(MBEDTLS_DIR)/lib -lmbedtls -lmbedcrypto -lmbedx509
http-reverse-proxy/main.c:8:// To enable SSL/TLS, build it like this:
http-reverse-proxy/main.c:9://    make MBEDTLS_DIR=/path/to/your/mbedtls/installation
http-reverse-proxy/ca.pem:46:ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
http-streaming-client/Makefile:4:ifneq ($(MBEDTLS),)
http-streaming-client/Makefile:5:CFLAGS += -DMG_ENABLE_MBEDTLS=1 -I$(MBEDTLS)/include -I/usr/include
http-streaming-client/Makefile:6:CFLAGS += -L$(MBEDTLS)/lib -lmbedtls -lmbedcrypto -lmbedx509
http-streaming-client/main.c:12:// To enable SSL/TLS for this client, build it like this:
http-streaming-client/main.c:13://    make MBEDTLS=/path/to/your/mbedtls/installation
http-streaming-client/main.c:27:    // If s_url is https://, tell client connection to use TLS
http-streaming-client/ca.pem:46:ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
mqtt-client/Makefile:2:MBEDTLS_DIR ?=
mqtt-client/Makefile:4:ifeq "$(MBEDTLS_DIR)" ""
mqtt-client/Makefile:6:CFLAGS += -DMG_ENABLE_MBEDTLS=1 -I$(MBEDTLS_DIR)/include -I/usr/include
mqtt-client/Makefile:7:CFLAGS += -L$(MBEDTLS_DIR)/lib -lmbedtls -lmbedcrypto -lmbedx509
mqtt-client/main.c:10:// To enable SSL/TLS for this client, build it like this:
mqtt-client/main.c:11://    make MBEDTLS_DIR=/path/to/your/mbedtls/installation
mqtt-client/main.c:23:    // If target URL is SSL/TLS, command client connection to use TLS
mqtt-client/ca.pem:46:ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
socks5-server/Makefile:3:MBEDTLS_DIR ?=
socks5-server/Makefile:5:ifeq "$(MBEDTLS_DIR)" ""
socks5-server/Makefile:7:CFLAGS += -DMG_ENABLE_MBEDTLS=1 -I$(MBEDTLS_DIR)/include -I/usr/include
socks5-server/Makefile:8:CFLAGS += -L$(MBEDTLS_DIR)/lib -lmbedtls -lmbedcrypto -lmbedx509
websocket-client/ca.pem:46:ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS

[Darsh-Dev]

Hi @nopnop2002,

Thanks for the update. I want to know that is TSL feature is used in the MQTT broker/server code (mqtt_server.c) ? If yes then how can I enable and use my server certificate for a secure connection?

Thanks

[nopnop2002]

I don't know how to use a server certificate for a secure connection.

This code may be helpful.

https://github.com/espressif/esp-idf/blob/master/examples/protocols/esp_http_client/main/esp_http_client_example.c#L29

[Darsh-Dev]

Hi @nopnop2002,

Issue resolve please find below patch to enable the mqtt_broker with tls.

diff --git a/mongoose.c b/mongoose.c static void accept_conn(struct mg_mgr mgr, struct mg_connection lsn) { c->pfn_data = lsn->pfn_data; c->fn = lsn->fn; c->fn_data = lsn->fn_data; +#if MG_ENABLE_MBEDTLS +struct mg_tls_opts opts = {.ca = NULL, +.cert = srv_cert, / TLS server certificate / +.certkey = srv_key};/ TLS server private key / +mg_tls_init(c, &opts); +#endif diff --git a/mongoose.h b/mongoose.h

ifndef MG_ENABLE_MBEDTLS

-#define MG_ENABLE_MBEDTLS 0 +#define MG_ENABLE_MBEDTLS 1

[stefanobignotti]

Hi @Darsh-Dev, I'm trying to use my self-signed certificates and keys generated with OpenSSL in the MQTT broker. I have enabled the tls feature as you explained but it doesn't work: when I try to connect a MQTT client to the broker it always reboot with this error:

rst:0x8 (TG1WDT_SYS_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT) configsip: 0, SPIWP:0xee clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00 mode:DIO, clock div:2 load:0x3fff0030,len:6708 load:0x40078000,len:14224 ho 0 tail 12 room 4 load:0x40080400,len:3688 entry 0x40080678

I tried to debug but I don't understand what I'm doing wrong. This is my mongoose.c code (accept_conn function):

extern const uint8_t ca_crt_start[] asm("_binary_ca_crt_start");
extern const uint8_t ca_crt_end[] asm("_binary_ca_crt_end");
extern const uint8_t server_crt_start[] asm("_binary_server_crt_start");
extern const uint8_t server_crt_end[] asm("_binary_server_crt_end");
extern const uint8_t server_key_start[] asm("_binary_server_key_start");
extern const uint8_t server_key_end[] asm("_binary_server_key_end");

static void accept_conn(struct mg_mgr *mgr, struct mg_connection *lsn) {
  struct mg_connection *c = NULL;
  union usa usa;
  socklen_t sa_len = sizeof(usa);
  SOCKET fd = accept(FD(lsn), &usa.sa, &sa_len);
  if (fd == INVALID_SOCKET) {
    LOG(LL_ERROR, ("%lu accept failed, errno %d", lsn->id, MG_SOCK_ERRNO));
#if (!defined(_WIN32) && (MG_ARCH != MG_ARCH_FREERTOS_TCP))
  } else if ((long) fd >= FD_SETSIZE) {
    LOG(LL_ERROR, ("%ld > %ld", (long) fd, (long) FD_SETSIZE));
    closesocket(fd);
#endif
  } else if ((c = alloc_conn(mgr, 0, fd)) == NULL) {
    LOG(LL_ERROR, ("%lu OOM", lsn->id));
    closesocket(fd);
  } else {
    char buf[40];
    tomgaddr(&usa, &c->peer, sa_len != sizeof(usa.sin));
    mg_straddr(c, buf, sizeof(buf));
    LOG(LL_DEBUG, ("%lu accepted %s", c->id, buf));
    mg_set_non_blocking_mode(FD(c));
    setsockopts(c);
    LIST_ADD_HEAD(struct mg_connection, &mgr->conns, c);
    c->is_accepted = 1;
    c->is_hexdumping = lsn->is_hexdumping;
    c->pfn = lsn->pfn;
    c->pfn_data = lsn->pfn_data;
    c->fn = lsn->fn;
    c->fn_data = lsn->fn_data;

#if MG_ENABLE_MBEDTLS
    struct mg_tls_opts opts = {
        .ca = (const char *) ca_crt_start,
        .cert = (const char *) server_crt_start,
        .certkey = (const char *) server_key_start
    };
    mg_tls_init(c, &opts);
#endif
    mg_call(c, MG_EV_ACCEPT, NULL);
  }
}

Thanks

[nopnop2002]

@stefanobignotti

Did you specify this?

https://github.com/espressif/esp-idf/blob/master/examples/protocols/esp_http_client/main/CMakeLists.txt#L6

[stefanobignotti]

@nopnop2002 I solved my problem. It was a problem in broker poll delay, now it's working. Thanks