-
-
Notifications
You must be signed in to change notification settings - Fork 8.2k
Add ssl certificates on ESP8266 #2781
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
https://docs.micropython.org/en/latest/esp8266/library/ussl.html This will work:
But as the docs warn, it is not validated. |
@hiway Thanks for the answer , |
Just wondering if there are any plans to resolve this issue? |
The axtls library used on esp8266 does support certificates (although I'm not sure to what extent). So it's possible to add support for them but it's not planned at this stage. An alternative way to add certs (and at the same time getting more advanced crypto algorithms) would be to support mbedtls on the esp8266, but the esp8266 might not have enough RAM for this. |
There're definitely plans to implement that, it's just plans for hundreds of other things have more priority, and implementing hundreds of things takes years, so nobody yet got to it. @Lir10 , @briant-spindance , you seem to need this more than other folks, so feel free to prepare patches for it. (High quality ones, which generally goes without saying. Please start at https://github.com/micropython/micropython/blob/master/CONTRIBUTING.md before doing any coding work.)
axTLS was originally selected as a default TLS implementation (even before esp8266 port) because it has minimal code size and RAM requirements. |
Hello, I recently tested SSL/TLS connection on my ESP8266 with micropython. The test was done with self-signed certificates from the server-broker that I passed to my ESP. Using the umqtt (simple.py) I found out as mentioned in an earlier post that the function ussl.wrap_socket() works only with one argument. With only one argument I can't include my certificate (ca_certs). By giving only the socket (first argument) the connections is successful. I tried to capture some packets and the connection seems to be encrypted. Thanks in advance |
You'll need to implement authentication yourself. Eg using a password with umqtt. |
@dpgeorge , i am using simple umqtt for establishing SSL connection to AWS IoT with ESP32 board, but i have not succeeded to establish connection. I am getting following error from ussl.wrap_socket method;
print(self.params) equals = Connect Method in umqtt is seen below, is it possible to establish full cert chain connection to AWS IoT? |
In micropython version 1.9.4, has this issue been resolved? |
It seems that it has. See here (scroll down to extmod section, fourth line reads "modussl_axtls: implement key and cert kw args to wrap_socket". |
I am trying to connect esp32 to AWS IoT broker (i have tried both ports 8883 and 443 regarding to latest update of AWS), In version 1.9.4, i have not seen ca_cert parameter may be that's why AWS rejects connection. |
@Sunrise17 the esp32 (and esp8266) supports the parameters with open(keyfile, 'rb') as f:
key = f.read() That should work. Note that the |
Dear @dpgeorge , thanks for your response, i have tried your method to connect AWS IoT but still i am receiving same error. As you will see that ssl params passed as data in following below; In AWS IoT documentation, format to publish mqtt message as follows;
So, enabling cacert is necessary i think to establish direct connection from esp32 to AWS IoT? |
@Sunrise17 you shouldn't post your private keys like that! I suggest you change them immediately. It's hard to debug this problem without extra info. What is line 65 of mqtt.py? |
@dpgeorge , please find attacked mqtt.py file. Line 65 is : Lines in main.py is:
|
If it's failing on this line then it doesn't have anything to do with SSL (SSL handshake happens after this line succeeds). If it fails here then there is something wrong with the internet connection and/or the remote server (maybe it's domain name is wrong?). |
I think someone should write a FAQ on using SSL/TLS as this issue keeps cropping up. I'd offer but a) it's not my field and b) I never managed to get it to work either ;-) |
Dear @dpgeorge , I have tried three option for line 48 for path versions of key and cert file in wrap_socket method and i am receiving following errors in each try as below. (Note: key1 and cert1 returns bytes object, in option 3 that's why i have converted it to string and try) With same cert and key files, i have tried Python 3.5 from PC, it is well connecting to server but i could not succeed to connect from esp32 board.
Option_1
Error: (after assertion "ret == 0" fail, continuously resetting the board)
Option_2
Error:
Option_3
Error:
|
@Sunrise17 you need to pass sock = ussl.wrap_socket(s, key=key1, cert=cert1) |
@dpgeorge , thanks for your warning, it works well right now between SSL Python Server and ESP32 Client. In other side, to connect AWS IoT over mqtt with ESP32 board, i am still trying to solve it. Amazon is requiring ca_cert parameter in connection may be that's why its not connecting. After i have found some solution, i will write it here. Thanks again... |
I can connect to AWS MQTT with client cert using ESP32 WROOM-32 module. But the same exactly code and certs fail to connect when running on ESP8266 board. The error code is "invalid key". Both flashed micropython 1.9.4, the same exactly certs, but different results. Is there is a limit on cert length in 8266 build? What other factors may affect the connection? |
@StanS-AWS I guess the difference is in SDKs for ESP8266 and ESP32, cause there is actually a difference between ssl libs in C for those two platforms. |
openssl x509 -in 8266-01.cert.pem -out 8266-01.cert.der -outform DER |
Does validation work properly on ESP32? |
Does anyone know if the 'ca_cert' parameter is now implemented in the latest version of MicroPython? I'm not able to get it to work using the code samples above however I can connect if I remove the 'ca_cert' and use only the key and device cert. |
I would love to know this as well. But it looks like 'ca_cert' is still not implemented :( That is a big issue for any production-like usage of this library. |
|
Hello, I'm currently facing the |
hi iam also facing the error while using pico w..my error code is do u find any solution? |
Hi @Saranya-karan please view this comment I made with regards to the |
simple1.txt
|
Okay, please send a screenshot of the error |
Could be your connection details are invalid cause you're not getting a response from the broker |
because of my network ?sir can you elaborate the issue. |
with the same certificates and end point i sent data to aws iot core in arduino ide(ESP32 board).but in micropython(picow board) it is making issues |
I see, have you tried decoding the base64 text as I pointed out in that other comment |
yes sir,i updated the files in der format..it throws error |
To do the base64 decoding you need the certificates in base64 format which is the certificate.pem.crt and private.pem.key files |
sir may i know which version of micropython u used for sending data to aws.. |
I am pretty much using the latest version |
|
Okay, I'm not sure I can offer much help using comments, is it possible that you have your project in a repo then I can clone it and try on the pico w I have. You can have it private then add me as a collaborator. I'll work on it tomorrow |
I will add the repo tomorrow sir. I provided my simple1. py library and main program. Nothing much there. thank you so much for the response |
i added the files to my repo..it is in public view.pls let me know u can access the files.. |
Hi @Saranya-karan , I've made changes to the repo. The code seems to work on my end. |
The original problem (as well as several other, semi-related) problems seems to have been fixed. Perhaps we can close this issue? For usage questions or debugging help, the recommended is to open a Github Discussion or come in the MicroPython Discord. |
Uh oh!
There was an error while loading. Please reload this page.
Hi ,
I'm trying to connect to ssl server using this code :
However , im getting the following traceback :
Looks like
works only with one argument.
How can i add my own self signed certificates to the ssl socket object?
The text was updated successfully, but these errors were encountered: