Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Calculated fingerprint differs from Tasmota autolearned fingerprint #1

Closed
wewa00 opened this issue Jan 12, 2021 · 10 comments
Closed

Calculated fingerprint differs from Tasmota autolearned fingerprint #1

wewa00 opened this issue Jan 12, 2021 · 10 comments

Comments

@wewa00
Copy link

wewa00 commented Jan 12, 2021

Hi all,
I used https://github.com/issacg/tasmota-fingerprint to calculate the fingerprint of my certificate but this calculated fingerprint differs from the MqttFingerprint auto-learned by the Tasmota device. Could it be that there is a miss-alignment between Tasmota SW itself and the tasmota-fingerprint calculator? Has someone tested it with Tasmota v9.2.0 and tasmota-fingerprint v1.0.0?

@wewa00 wewa00 changed the title Calculated Fingerprint differs from Tasmota autolearned fingerprint Calculated fingerprint differs from Tasmota autolearned fingerprint Jan 12, 2021
@issacg
Copy link
Owner

issacg commented Jan 13, 2021

Good catch!

It seems related to this patch but I can't find any documentation explaining what exactly was changed (or why, except for comments suggesting the new fingerprint ought to be more secure)

However a cursory look at the change suggests that it ought to accept and auto-update old fingerprints.

Have you actually tried setting the fingerprint using the tool and seeing if TLS can negotiate? The expectation is that Tasmota will transparent update the certificate fingerprint for you after the first connection is made....

@wewa00
Copy link
Author

wewa00 commented Jan 13, 2021

No I have not tried so far. But a good hint, I can try this and will give feedback after I had time.

But never the less, I think there should be some version of tasmota-fingerprint available fitting to Tasmota v9.2.0. Will you go after this?

@wewa00
Copy link
Author

wewa00 commented Jan 13, 2021

Tasmota behaves like you described it. After setting the fingerprint which was calculated by tasmota-fingerprint, Tasmota learns the same fingerprint automatically which was learned after the fingerprint was set for auto learning to 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00.

To be sure, that Tasmota does not always learn the MQTT fingerprint if it is not matching, I did following. I set the fingerprint to a altered version of the fingerprint which was calculated by tasmota-fingerprint.

I have absolutely how this mechanism in Tasmota is working and why it was designed this way.

@wewa00
Copy link
Author

wewa00 commented Jan 13, 2021

@issacg s-hadinger provided the information why/how this functionality was implemented in the Tasmota discord chat (are you active there?). Here is the explanation: https://threadreaderapp.com/thread/1339101572832382981.html. I think you should consider this for patching tasmota-fingerprint.

@wewa00
Copy link
Author

wewa00 commented Jan 15, 2021

The Tasmota Fingerprint update feature will hopefully be disabled in a future release: arendst/Tasmota#10571

@issacg
Copy link
Owner

issacg commented Jan 15, 2021

This is a valid case for updating tasmota-fingerprint, and I'll certainly do so when I have cycles. In the meantime, patches are welcome.

And I hope that the fingerprint update won't be disabled, as it's the only feasible way to live-update existing devices. Not everyone is starting from scratch with a new MQTT server and new Tasmota devices.

@mirino75
Copy link

mirino75 commented Nov 4, 2021

I see in the Tasmota Console:
Fingerprint learned: A3 84 11 60 87 53 05 1B 58 F5 6C 0A FF 03 FA 9C 07 FD BC 99

Why do I get other fingerprint values using these commands?

ubuntu@raspberry:/$ ~/go/bin/tasmota-fingerprint server.crt
7F 33 36 03 B0 FD D8 EA 91 B0 4D F7 AD 15 0F 52 88 AD 8D 4F

ubuntu@raspberry:/$ openssl x509 -noout -fingerprint -sha1 -inform pem -in server.crt | awk -F"=" '{print $2}'|sed -e 's/:/ /g'
DB 77 2D 3F B3 0E 2D 48 97 55 97 A4 8A 35 57 BA A6 A7 38 6D

ubuntu@raspberry:/$ openssl s_client -connect 192.168.2.1:8883 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin | awk -F"=" '{print $2}'|sed -e 's/:/ /g'
DB 77 2D 3F B3 0E 2D 48 97 55 97 A4 8A 35 57 BA A6 A7 38 6D

@mirino75
Copy link

mirino75 commented Nov 5, 2021

Answer from Stefan
https://groups.google.com/d/msgid/sonoffusers/1f5f0bf7-a3c1-49db-a3d2-88ecf6a3691en%40googlegroups.com?utm_medium=email&utm_source=footer

The fingerprint used in Tasmota is different from the fingerprint of the certificate shown by openssl. Tasmota uses a hash on the Public Key, not on the Certiicate.

There are two reasons for this:
1/ It would take too much memory to compute the certificate hash, it's much more lightweight to compute the fingerprint of the public key instead. This is due to the way BearSSL works.
2/ The fingerprint of the public key is much more stable than the certificate. For ex Letsencrypt requires to renew the certificate every 3 months, which would mean updating all devices every 3 months. On the contrary the public key does not change.

The problem is that the only way to know your fingerprint is to use Tasmota in auto-learn and write down the fingerprint.

@ryancdotorg
Copy link
Contributor

I've made a pull request to update the fingerprint calculation: #2

@issacg
Copy link
Owner

issacg commented Mar 5, 2024

Fixed in #2

@issacg issacg closed this as completed Mar 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants