Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request]: MQTT Does not support TLS Transport Encryption #2376

Closed
ghostop14 opened this issue Mar 23, 2023 · 4 comments
Closed

[Feature Request]: MQTT Does not support TLS Transport Encryption #2376

ghostop14 opened this issue Mar 23, 2023 · 4 comments
Labels
enhancement New feature or request

Comments

@ghostop14
Copy link
Contributor

Platform

ESP32

Description

Configuring an MQTT server such as mosquitto to use TLS with a valid certificate for transport security fails to connect. Looks like this isn't supported in the current implementation?
@ghostop14 ghostop14 added the enhancement New feature or request label Mar 23, 2023
@garthvh
Copy link
Member

garthvh commented Mar 24, 2023

Nobody has managed to make it work. There is a comment in the firmware here

firmware/src/mqtt/MQTT.h

Line 25 in 9d6e1ce

// http://www.iotsharing.com/2017/08/how-to-use-esp32-mqtts-with-mqtts-mosquitto-broker-tls-ssl.html

@sachaw found this potential approach as well https://github.com/knolleary/pubsubclient/pull/851/files

@ghostop14
Copy link
Contributor Author

ghostop14 commented Mar 24, 2023
edited

I have a working Mosquitto MQTT server here with a valid purchased cert and such, validated with mosquitto_pub/sub to be all around valid TLS with authentication enabled. Running Mosquitto 2.0.15a on Ubuntu 20.04. That side all works.

There's definitely the client certificate-based validation I see in the potential approach (lines 105-110 in that link). But maybe even to start simpler, we can support the user/pass authentication to not have to worry about uploading client id certificates to the devices. That should basically be just the extra TLS negotiation from the client-side.

So I think we probably need a couple of things:

  1. Just support for enabling TLS from the client class
  2. For the self-signed certs, we probably need something like mqtt.tls_insecure to not validate the CA on those self-signed certs. Otherwise the handshake should fail for MiTM/spoofing security reasons (Default should be to require all-around valid/signed cert for security)
  3. Maybe an mqtt.tls_enabled since there's already a payload encryption setting?
  4. The default encrypted port is 8883. So if tls is enabled, and no port is specified in the address, it should be changed to 8883 rather than the unencrypted 1883.

I'm happy to provide the encrypted MQTT server side and work with anyone who wants to tackle the firmware code. It's a dev box, so I can switch between unencrypted, and TLS valid or self-signed as needed. DM me on discord and we can coordinate connection details.

@ghostop14
Copy link
Contributor Author

This article has some example code: https://arduino.stackexchange.com/questions/72684/how-to-connect-to-mqtt-broker-with-tls

May just need to add the secure client wrapper before the pubsubclient:
WiFiClientSecure espClient; // <-- Change #1: Secure connection to MQTT Server
PubSubClient client(espClient);

// Then something like this if mqtt.tls_insecure is set:
espClient.setInsecure();

@caveman99
Copy link
Sponsor Member

will be in next firmware for ESP32

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@caveman99 @garthvh @ghostop14