These are chat archives for esp8266/Arduino

19th
May 2016
Aaron N.
@porkyneal
May 19 2016 08:11
Hi guys, I am trying to convert my MQTT comms to be secure using WiFiClientSecure
I have a working secure MQTT environment which I have checked, using a letsencrypt certificate
I used the same certificate on a node-red installation, so used that (using chrome) to get the fingerprint
but I cannot get client.verify to pass
is this the correct approach, or should i put the cert into the sketch?
Ivan Grokhotkov
@igrr
May 19 2016 08:14
can you enable "Core+SSL" in Debug Level menu under Tools?
Aaron N.
@porkyneal
May 19 2016 08:14
sure
will report back
Ivan Grokhotkov
@igrr
May 19 2016 08:15
thanks.
I did get MQTT over WiFiClientSecure working recently, but i used self-signed certificates. Also used client side certificates for MQTT auth.
Aaron N.
@porkyneal
May 19 2016 08:16
when it verifies a cert, how does it work? attempt a connection to the server? any particular port?
Aaron N.
@porkyneal
May 19 2016 08:50
this i my current version, I have stopped trying to verify for the moment.
Attempting MQTT connection...:ref 1
please start sntp first !
State:    sending Client Hello (1)
:wr
:sent 82
:rn 1460
:ww
:rd 5, 1460, 0
:rdi 1460, 5
:rd 74, 1460, 5
:rdi 1455, 74
State:    receiving Server Hello :rch 1460, 1114
(2)
:rd 5, 2574, 79
:rdi 1381, 5
:rd 2481, 2574, 84
:rdi 1376, 1376
:c 1376, 1460, 2574
:rdi 1114, 1105
State:    receiving Certificate (11)
:rd 5, 1114, 1105
:rdi 9, 5
:rd 4, 1114, 1110
:rdi 4, 4
:c0 4, 1114
State:    receiving Server Hello Done (14)
State:    sending Client Key Exchange (16)
:wr
:sent 267
:ww
:wr
:sent 6
:ww
State:    sending Finished (16)
:wr
:sent 69
:rn 75
:ww
:rd 5, 75, 0
:rdi 75, 5
:rd 1, 75, 5
:rdi 70, 1
:rd 5, 75, 6
:rdi 69, 5
:rd 64, 75, 11
:rdi 64, 64
:c0 64, 75
State:    receiving Finished (16)
:wr
:sent 69
:rn 53
:ww
:rd 5, 53, 0
:rdi 53, 5
:rd 48, 53:rch 53, 53
:rcl
:abort
, 5
:rdi 48, 48
:c 48, 53, 106
:wcs ra 4Alert: close notify
:ur 1
:del
failed, rc=5 try again in 5 seconds
Ivan Grokhotkov
@igrr
May 19 2016 08:53
Ok, here the remote server has closed connection (:rcl line)
Maybe the server tries to use TLS 1.2 and doesn't want to fall back to 1.1, which is what the ESP supports
or it doesn't find an appropriate cipher suite among the ones supported by the ESP
some debugging info from the server side would help here.
verify works after connection is established. It calculates SHA1 sum of the certificate and matches that against the value provided in the sketch. Then it compares CN or SAN listed in certificate with the host name passed into connect function. If both match, then verify returns true.
So it doesn't do additional connects, it checks the data in the received certificate against host name and fingerprint
Aaron N.
@porkyneal
May 19 2016 10:16
Thanks @igrr, will look into what the mosquitto broker supports, and see if I can change some settings.
As always support is great and the project is awesome.
Ivan Grokhotkov
@igrr
May 19 2016 10:17
I've been running mosquitto as well, hmm...
Thanks :)
Aaron N.
@porkyneal
May 19 2016 10:18
would it be a letsencrypt issue?
The project will certainly be referenced in my Thesis, couldn't do half of what I do without it.
Ivan Grokhotkov
@igrr
May 19 2016 10:23
if letsencrypt uses sha256 then yes, certificate might not be supported by the ESP.
we can add sha256 though...
mosquitto uses openssl, see if it's possible to get some verbose diagnostic output out of it.
Aaron N.
@porkyneal
May 19 2016 10:25
think it is sha256 :(