Add support for MQTT SSL

xoseperez / espurna

Home automation firmware for ESP8266-based devices

http://tinkerman.cat

GNU General Public License v3.0

2.99k stars 636 forks source link

Add support for MQTT SSL #64

Closed xoseperez closed 6 years ago

xoseperez commented 7 years ago

Originally reported by: Minh Phuong Ly (Bitbucket: phuonglm, GitHub: phuonglm)

Want to connect my node to public MQTT server or cloud service but because SSL it not supported yet so username and password can be sniff easily. There are some try and failed (https://github.com/marvinroger/homie-esp8266/issues/108) but I hope we can implement it right.

xoseperez commented 7 years ago

Released with 1.9.3

xoseperez commented 7 years ago

Support using PubSubClient (MQTT_USE_ASYNC=0) will be released with 1.9.3.

As for AsyncMqttClient (MQTT_USE_ASYNC=1) , it will not be onthe prebuilt images, you will have to compile it yourself since you need to decide a few things. Anyway there are a few recomendations:

When using MQTT_USE_ASYNC=1 its recommended to disable web support (WEB_SUPPORT=0). You will be able to configure it via compile time settings, serial or telnet.

When using MQTT_USE_ASYNC=0 all the modules that use ESPAsyncTCP should be disabled, that means: WEB_SUPPORT=0, ALEXA_SUPPORT=0, TELNET_SUPPORT=0 and INFLUXDB_SUPPORT=0. Thus, it's not recommended to use this configuration since it disables a lot of cool features in the firmware.

xoseperez commented 7 years ago

Current status:

SSL using AsyncMqttClient (MQTT_USE_ASYNC=1, default): working, has memory issues when using web server too
SSL using PubSubClient (MQTT_USE_ASYNC=0): not working yet

xoseperez commented 7 years ago

Version 1.9.0 adds support for TLS/SSL MQTT connections. it's still somewhat a test feature but it looks reasonably well, except for the fact that consumes so much memory you might run into issues using the web interface. That's why version 1.9.0 also includes the option to disable the web interface.

To build a TLS compatible version of the firmware you need the staging ESP8266 Arduino Core branch and compile the firmware passing the ASYNC_TCP_SSL_ENABLED=1 build flag. if you are disabling web support (WEB_SUPPORT=0) you might want to hardcode some other settings (WIFI#_SSID, WIFI#_PASS, MQTT_SERVER, MQTT_SSL_ENABLED, MQTT_SSL_FINGERPRINT,...).

Next will be to add support when using PubSubClient library too.

xoseperez commented 7 years ago

Async MQTT just added support for SSL. I'm worried about memory requierement, thou. Else will be added for 1.9.

xoseperez commented 7 years ago

Original comment by sebastianhanschke (Bitbucket: sebastianhanschke, GitHub: Unknown):

Any news? I'd also be interested and happy to try out any beta.

xoseperez commented 7 years ago

Original comment by Bohdan Shcherbak (Bitbucket: bsh314, GitHub: bsh314):

Thanks for the info! I'll give it a try

xoseperez commented 7 years ago

AsyncMqttClient should also support SSL if using the staging branch of Arduino Core ESP8266 with minor modifications on the code. Had no time to test it yet.

xoseperez commented 7 years ago

Original comment by Bohdan Shcherbak (Bitbucket: bsh314, GitHub: bsh314):

Hello Minh! I'l try to create pull request this month with ssl support. PuibsubClient supports WifiSecureClient, so it can't be that dificult, the only hard thing is create new input in web gui & use that for tls fingerprint.