Open ve6rah opened 2 weeks ago
Hey, looking a bit on the ESP-IDF implementation of MQTT + SSL, it looks like server verification is optional as far as the MQTT APIs are concerned but less so from the Mbed TLS point. I can think of two ways to overcome this.
CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY
config in your buildHey, looking a bit on the ESP-IDF implementation of MQTT + SSL, it looks like server verification is optional as far as the MQTT APIs are concerned but less so from the Mbed TLS point. I can think of two ways to overcome this.
- Include the expected server certificate in your configuration
- Enable the
CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY
config in your build
Thanks. If seems like option 2 probably make more sense, can you elaborate more on how I would accomplish that?
You would need to run idf.py menuconfig
to open the configuration menu. Then, hit /
to search for the config mentioned above (maybe without the "CONFIG_" prefix) and, once you find it, enable it, save, exit and rebuild with idf.py build
.
Well I'm able to configure that (though there are big warnings not to). It seems like there should be some safe way of authenticating servers without user intervention?
though there are big warnings not to
That makes sense since most of the reason you want to use TLS in the first place is to verify the server you're connecting to.
In order to authenticate the server, as is done in any TLS environment, like your browser, the client needs to have list of approved certificates or approved CA certificates that have signed the CA certificate.
I'm assuming your MQTT broker has a server certificate, either one that you've generated for it or one that was generated automatically. Get a hold of that, in the PEM format. Upload it to the ESP32 via the web UI and add the server_cert
entry in the configuration file with a path (name) of the certificate file uploaded to the ESP32. If I understand the original error message you got, that should be enough.
I'm trying to use ble2mqtt over SSL, however it's not working.
In the logging I see:
The main error seems to be the "No server verification option set", but I'm not sure where to go from here.
My config file is: