MQTT GW on ESP8266 supporting SSL/TLS?
-
I have been using a couple of ESP8266 MySensors MQTT GW for years, connected to a public broker. Now unfortunately they will no longer support a simple connection to port 1883 but will require a secure connection using TLS.
Question: Is there code available for the ESP8266 MQTT GW with support for SSL/TLS? How would you go about adding that support?Since I have three GW in different places I cannot deploy my own mosquitto broker on my HA installation.
I have never been so busy since I retired!
-
I have been using a couple of ESP8266 MySensors MQTT GW for years, connected to a public broker. Now unfortunately they will no longer support a simple connection to port 1883 but will require a secure connection using TLS.
Question: Is there code available for the ESP8266 MQTT GW with support for SSL/TLS? How would you go about adding that support?Since I have three GW in different places I cannot deploy my own mosquitto broker on my HA installation.
@bgunnarb are you on the master or de development branch? In the development brancht, TLS is implemented (check out this) :
/* * Modified by Eric Grammatico <eric@grammatico.me> * * Added support to secured connexion to mqtt server thanks to WiFiClientSecure class. * Please see comments in code. You can look for WiFiClientSecure, MY_GATEWAY_ESP8266_SECURE, * MY_MQTT_CA_CERT, MY_MQTT_FINGERPRINT and MY_MQTT_CLIENT_CERT in the code below to see what has * changed. No new method, no new class to be used by my_sensors. * * The following constants have to be defined from the gateway code: * MY_GATEWAY_ESP8266_SECURE in place of MY_GATEWAY_ESP8266 to go to secure connexions. * MY_MQTT_CA_CERTx Up to three root Certificates Authorities could be defined * to validate the mqtt server' certificate. The most secure. * MY_MQTT_FINGERPRINT Alternatively, the mqtt server' certificate finger print * could be used. Less secure and less convenient as you'll * have to update the fingerprint each time the mqtt server' * certificate is updated * If neither MY_MQTT_CA_CERT1 nor MY_MQTT_FINGERPRINT are * defined, insecure connexion will be established. The mqtt * server' certificate will not be validated. * MY_MQTT_CLIENT_CERT The mqtt server may require client certificate for * MY_MQTT_CLIENT_KEY authentication. * */Regards, Edi
-
@bgunnarb are you on the master or de development branch? In the development brancht, TLS is implemented (check out this) :
/* * Modified by Eric Grammatico <eric@grammatico.me> * * Added support to secured connexion to mqtt server thanks to WiFiClientSecure class. * Please see comments in code. You can look for WiFiClientSecure, MY_GATEWAY_ESP8266_SECURE, * MY_MQTT_CA_CERT, MY_MQTT_FINGERPRINT and MY_MQTT_CLIENT_CERT in the code below to see what has * changed. No new method, no new class to be used by my_sensors. * * The following constants have to be defined from the gateway code: * MY_GATEWAY_ESP8266_SECURE in place of MY_GATEWAY_ESP8266 to go to secure connexions. * MY_MQTT_CA_CERTx Up to three root Certificates Authorities could be defined * to validate the mqtt server' certificate. The most secure. * MY_MQTT_FINGERPRINT Alternatively, the mqtt server' certificate finger print * could be used. Less secure and less convenient as you'll * have to update the fingerprint each time the mqtt server' * certificate is updated * If neither MY_MQTT_CA_CERT1 nor MY_MQTT_FINGERPRINT are * defined, insecure connexion will be established. The mqtt * server' certificate will not be validated. * MY_MQTT_CLIENT_CERT The mqtt server may require client certificate for * MY_MQTT_CLIENT_KEY authentication. * */Regards, Edi
@eiten
Hi Edi!
You are an absolute STAR!
Now I'm on the development branch 2.4.0 alpha and things work like a charm!
I'm able to connect via SSL/TLS to a commercial broker account with a server certificate and messages have started flowing in the test rig.
Now it's time to plan the migration of my MQTT clients.
Thank you so much for pointing me in the right direction. I thought that TLS support was implemented in the master branch and could not understand why things did not work?
Can I buy you a beer?Best regards
/Gunnar -
@eiten
Hi Edi!
You are an absolute STAR!
Now I'm on the development branch 2.4.0 alpha and things work like a charm!
I'm able to connect via SSL/TLS to a commercial broker account with a server certificate and messages have started flowing in the test rig.
Now it's time to plan the migration of my MQTT clients.
Thank you so much for pointing me in the right direction. I thought that TLS support was implemented in the master branch and could not understand why things did not work?
Can I buy you a beer?Best regards
/Gunnar -
I have been using a couple of ESP8266 MySensors MQTT GW for years, connected to a public broker. Now unfortunately they will no longer support a simple connection to port 1883 but will require a secure connection using TLS.
Question: Is there code available for the ESP8266 MQTT GW with support for SSL/TLS? How would you go about adding that support?Since I have three GW in different places I cannot deploy my own mosquitto broker on my HA installation.
@bgunnarb I like @eiten 's solution for you.
Personally, I am not a fan of using cloud/public brokers. Thus I am curious about your system and there is something about it from which I can learn. I would like to understand why you cannot deploy your own mosquitto broker.
I see your set up as 3 sensor groups defined by the channel used
#define MY_RF24_CHANNEL ChannelOfSensorGroupEach sensor group has some number of sensors and one MQTT GW on ESP8266. On the MQTT side, do you distinguish between gateways by using a different host name?
Something like:
#define MY_MQTT_PUBLISH_TOPIC_PREFIX "mygateway-nOf3-out" #define MY_MQTT_SUBSCRIBE_TOPIC_PREFIX "mygateway-nOf3-in" #define MY_MQTT_CLIENT_ID "mysensors-nOf3" #define MY_HOSTNAME "ESP8266_MQTT_GW_nOf3" //#define MY_CONTROLLER_IP_ADDRESS 192, 168, 178, 68 #define MY_CONTROLLER_URL_ADDRESS "test.mosquitto.org" #define MY_PORT 1883I must assume your controller (aka Home Assistant) discriminates between through which gateway the data is to flow by way of the different topic names.
If my "something like" is correct, then changing brokers is changing the IPaddress/URL in your gateways and in your controller (though if the controller is Home Assistant, it may be a bother because the device-id's may change which will make a mess of all the work you've done in HA. This is why I like @eiten 's solution.)
I hope it's all working for you again.
OSD
