Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How can i use my server certificates for TLS in MQTT Broker #32

Open
Darsh-Dev opened this issue Apr 15, 2021 · 7 comments
Open

How can i use my server certificates for TLS in MQTT Broker #32

Darsh-Dev opened this issue Apr 15, 2021 · 7 comments

Comments

@Darsh-Dev
Copy link

Hi,

Are there any steps that help me to use my server certificate during the TLS handshake in the MQTT broker example?

Thanks
@Darsh-Dev Darsh-Dev changed the title How can i use my server certificates fot tls in MQTT Broker How can i use my server certificates for TLS in MQTT Broker Apr 15, 2021
@nopnop2002
Copy link
Owner

nopnop2002 commented Apr 15, 2021
edited
Loading

I don't know.

There is some code about TLS.
Try one by one.

$ cd esp-idf-mqtt-broker/components/mongoose/example

$ grep -rn TLS *
esp8266/src/main/main.c:20:// To enable TLS for HTTP,
esp8266/src/main/main.c:22://   2. Add TLS init snippet for the connection, see examples/http-client
http-client/Makefile:6:ifneq ($(MBEDTLS),)
http-client/Makefile:7:CFLAGS += -DMG_ENABLE_MBEDTLS=1 -I$(MBEDTLS)/include -I/usr/include
http-client/Makefile:8:CFLAGS += -L$(MBEDTLS)/lib -lmbedtls -lmbedcrypto -lmbedx509
http-client/main.c:8:// To enable SSL/TLS for this client, build it like this:
http-client/main.c:9://    make MBEDTLS=/path/to/your/mbedtls/installation
http-client/main.c:23:    // If s_url is https://, tell client connection to use TLS
http-client/ca.pem:46:ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
http-proxy-client/Makefile:3:MBEDTLS_DIR ?=
http-proxy-client/Makefile:5:ifeq "$(MBEDTLS_DIR)" ""
http-proxy-client/Makefile:7:CFLAGS += -DMG_ENABLE_MBEDTLS=1 -I$(MBEDTLS_DIR)/include -I/usr/include
http-proxy-client/Makefile:8:CFLAGS += -L$(MBEDTLS_DIR)/lib -lmbedtls -lmbedcrypto -lmbedx509
http-proxy-client/main.c:8:// To enable SSL/TLS for this client, build it like this:
http-proxy-client/main.c:9://    make MBEDTLS_DIR=/path/to/your/mbedtls/installation
http-proxy-client/main.c:28:    // If target URL is SSL/TLS, command client connection to use TLS
http-proxy-client/ca.pem:46:ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
http-restful-server/Makefile:3:ifeq "$(MBEDTLS_DIR)" ""
http-restful-server/Makefile:5:CFLAGS += -DMG_ENABLE_MBEDTLS=1 -I$(MBEDTLS_DIR)/include -I/usr/include
http-restful-server/Makefile:6:CFLAGS += -L$(MBEDTLS_DIR)/lib -lmbedtls -lmbedcrypto -lmbedx509
http-restful-server/main.c:10:// To enable SSL/TLS (using self-signed certificates in PEM files),
http-restful-server/main.c:12://    2. make MBEDTLS_DIR=/path/to/your/mbedtls/installation
http-restful-server/main.c:22:    // If s_listen_on URL is https://, tell listening connection to use TLS
http-restful-server/server.pem:29:                TLS Web Server Authentication
http-reverse-proxy/Makefile:3:MBEDTLS_DIR ?=
http-reverse-proxy/Makefile:5:ifeq "$(MBEDTLS_DIR)" ""
http-reverse-proxy/Makefile:7:CFLAGS += -DMG_ENABLE_MBEDTLS=1 -I$(MBEDTLS_DIR)/include -I/usr/include
http-reverse-proxy/Makefile:8:CFLAGS += -L$(MBEDTLS_DIR)/lib -lmbedtls -lmbedcrypto -lmbedx509
http-reverse-proxy/main.c:8:// To enable SSL/TLS, build it like this:
http-reverse-proxy/main.c:9://    make MBEDTLS_DIR=/path/to/your/mbedtls/installation
http-reverse-proxy/ca.pem:46:ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
http-streaming-client/Makefile:4:ifneq ($(MBEDTLS),)
http-streaming-client/Makefile:5:CFLAGS += -DMG_ENABLE_MBEDTLS=1 -I$(MBEDTLS)/include -I/usr/include
http-streaming-client/Makefile:6:CFLAGS += -L$(MBEDTLS)/lib -lmbedtls -lmbedcrypto -lmbedx509
http-streaming-client/main.c:12:// To enable SSL/TLS for this client, build it like this:
http-streaming-client/main.c:13://    make MBEDTLS=/path/to/your/mbedtls/installation
http-streaming-client/main.c:27:    // If s_url is https://, tell client connection to use TLS
http-streaming-client/ca.pem:46:ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
mqtt-client/Makefile:2:MBEDTLS_DIR ?=
mqtt-client/Makefile:4:ifeq "$(MBEDTLS_DIR)" ""
mqtt-client/Makefile:6:CFLAGS += -DMG_ENABLE_MBEDTLS=1 -I$(MBEDTLS_DIR)/include -I/usr/include
mqtt-client/Makefile:7:CFLAGS += -L$(MBEDTLS_DIR)/lib -lmbedtls -lmbedcrypto -lmbedx509
mqtt-client/main.c:10:// To enable SSL/TLS for this client, build it like this:
mqtt-client/main.c:11://    make MBEDTLS_DIR=/path/to/your/mbedtls/installation
mqtt-client/main.c:23:    // If target URL is SSL/TLS, command client connection to use TLS
mqtt-client/ca.pem:46:ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
socks5-server/Makefile:3:MBEDTLS_DIR ?=
socks5-server/Makefile:5:ifeq "$(MBEDTLS_DIR)" ""
socks5-server/Makefile:7:CFLAGS += -DMG_ENABLE_MBEDTLS=1 -I$(MBEDTLS_DIR)/include -I/usr/include
socks5-server/Makefile:8:CFLAGS += -L$(MBEDTLS_DIR)/lib -lmbedtls -lmbedcrypto -lmbedx509
websocket-client/ca.pem:46:ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS

@Darsh-Dev
Copy link
Author

Hi @nopnop2002,

Thanks for the update. I want to know that is TSL feature is used in the MQTT broker/server code (mqtt_server.c) ? If yes then how can I enable and use my server certificate for a secure connection?

Thanks

@nopnop2002
Copy link
Owner

nopnop2002 commented Apr 16, 2021
edited
Loading

I don't know how to use a server certificate for a secure connection.

This code may be helpful.

https://github.com/espressif/esp-idf/blob/master/examples/protocols/esp_http_client/main/esp_http_client_example.c#L29

@Darsh-Dev
Copy link
Author

Hi @nopnop2002,

Issue resolve please find below patch to enable the mqtt_broker with tls.

diff --git a/mongoose.c b/mongoose.c
static void accept_conn(struct mg_mgr *mgr, struct mg_connection lsn) {
c->pfn_data = lsn->pfn_data;
c->fn = lsn->fn;
c->fn_data = lsn->fn_data;
+#if MG_ENABLE_MBEDTLS
+struct mg_tls_opts opts = {.ca = NULL,
+.cert = srv_cert, / TLS server certificate /
+.certkey = srv_key};/ TLS server private key */
+mg_tls_init(c, &opts);
+#endif
diff --git a/mongoose.h b/mongoose.h
#ifndef MG_ENABLE_MBEDTLS
-#define MG_ENABLE_MBEDTLS 0
+#define MG_ENABLE_MBEDTLS 1

@stefanobignotti
Copy link

Hi @Darsh-Dev,
I'm trying to use my self-signed certificates and keys generated with OpenSSL in the MQTT broker.
I have enabled the tls feature as you explained but it doesn't work: when I try to connect a MQTT client to the broker it always reboot with this error:

rst:0x8 (TG1WDT_SYS_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0030,len:6708
load:0x40078000,len:14224
ho 0 tail 12 room 4
load:0x40080400,len:3688
entry 0x40080678

I tried to debug but I don't understand what I'm doing wrong.
This is my mongoose.c code (accept_conn function):

extern const uint8_t ca_crt_start[] asm("_binary_ca_crt_start");
extern const uint8_t ca_crt_end[] asm("_binary_ca_crt_end");
extern const uint8_t server_crt_start[] asm("_binary_server_crt_start");
extern const uint8_t server_crt_end[] asm("_binary_server_crt_end");
extern const uint8_t server_key_start[] asm("_binary_server_key_start");
extern const uint8_t server_key_end[] asm("_binary_server_key_end");

static void accept_conn(struct mg_mgr *mgr, struct mg_connection *lsn) {
  struct mg_connection *c = NULL;
  union usa usa;
  socklen_t sa_len = sizeof(usa);
  SOCKET fd = accept(FD(lsn), &usa.sa, &sa_len);
  if (fd == INVALID_SOCKET) {
    LOG(LL_ERROR, ("%lu accept failed, errno %d", lsn->id, MG_SOCK_ERRNO));
#if (!defined(_WIN32) && (MG_ARCH != MG_ARCH_FREERTOS_TCP))
  } else if ((long) fd >= FD_SETSIZE) {
    LOG(LL_ERROR, ("%ld > %ld", (long) fd, (long) FD_SETSIZE));
    closesocket(fd);
#endif
  } else if ((c = alloc_conn(mgr, 0, fd)) == NULL) {
    LOG(LL_ERROR, ("%lu OOM", lsn->id));
    closesocket(fd);
  } else {
    char buf[40];
    tomgaddr(&usa, &c->peer, sa_len != sizeof(usa.sin));
    mg_straddr(c, buf, sizeof(buf));
    LOG(LL_DEBUG, ("%lu accepted %s", c->id, buf));
    mg_set_non_blocking_mode(FD(c));
    setsockopts(c);
    LIST_ADD_HEAD(struct mg_connection, &mgr->conns, c);
    c->is_accepted = 1;
    c->is_hexdumping = lsn->is_hexdumping;
    c->pfn = lsn->pfn;
    c->pfn_data = lsn->pfn_data;
    c->fn = lsn->fn;
    c->fn_data = lsn->fn_data;

#if MG_ENABLE_MBEDTLS
    struct mg_tls_opts opts = {
    	.ca = (const char *) ca_crt_start,
        .cert = (const char *) server_crt_start,
        .certkey = (const char *) server_key_start
    };
    mg_tls_init(c, &opts);
#endif
    mg_call(c, MG_EV_ACCEPT, NULL);
  }
}

Thanks

@nopnop2002
Copy link
Owner

nopnop2002 commented Oct 12, 2021
edited
Loading

@stefanobignotti

Did you specify this?

https://github.com/espressif/esp-idf/blob/master/examples/protocols/esp_http_client/main/CMakeLists.txt#L6

@stefanobignotti
Copy link

@nopnop2002
I solved my problem. It was a problem in broker poll delay, now it's working.
Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nopnop2002 @stefanobignotti @Darsh-Dev