BearSSL client secure example for establishing TLS1.2 connection using rootCA Cert and client private key and certificate #5347
Comments
|
Can you also dump the last error (client->getLastSSLError(buff, len)) as your sketch isn't runnable by anyone but yourself. Also, make sure you're running at 160MHz since Azure is probably using EC. |
|
Hi @earlephilhower, https://drive.google.com/file/d/1jWN1ouvIQBxxkoDSQ25ZXUdn_V-q6w1b/view?usp=sharing #include <ESP8266WiFi.h>
#include <time.h>
const char *ssid = "SSID";
const char *pass = "PASS";
const char * host = "a2sy7u3nxkdvrh-ats.iot.ap-southeast-1.amazonaws.com";
const uint16_t port = 8443;
const char * path = "/topics/mj?qos=1";
// Set time via NTP, as required for x.509 validation
time_t setClock() {
configTime(3 * 3600, 0, "pool.ntp.org", "time.nist.gov");
Serial.print("Waiting for NTP time sync: ");
time_t now = time(nullptr);
while (now < 8 * 3600 * 2) {
delay(500);
Serial.print(".");
now = time(nullptr);
}
Serial.println("");
struct tm timeinfo;
gmtime_r(&now, &timeinfo);
Serial.print("Current time: ");
Serial.print(asctime(&timeinfo));
return now;
}
void fetchURL(BearSSL::WiFiClientSecure *client, const char *host, const uint16_t port, const char *path) {
if (!path) {
path = "/";
}
Serial.printf("Trying: %s:8443...", host);
client->connect(host, port);
if (!client->connected()) {
Serial.printf("*** Can't connect. ***\n-------\n");
Serial.printf("---------- \n");
Serial.printf("client->getLastSSLError() output is : ");
Serial.println (client->getLastSSLError());
Serial.printf("\n ----------");
return;
}
Serial.printf("Connected!\n-------\n");
client->write("POST ");
client->write(path);
client->write(" HTTP/1.0\r\nHost: ");
client->write(host);
client->write("\r\nUser-Agent: ESP8266\r\n");
client->write("\r\n");
uint32_t to = millis() + 5000;
if (client->connected()) {
do {
char tmp[32];
memset(tmp, 0, 32);
int rlen = client->read((uint8_t*)tmp, sizeof(tmp) - 1);
yield();
if (rlen < 0) {
break;
}
// Only print out first line up to \r, then abort connection
char *nl = strchr(tmp, '\r');
if (nl) {
*nl = 0;
Serial.print(tmp);
break;
}
Serial.print(tmp);
} while (millis() < to);
}
client->stop();
Serial.printf("\n-------\n\n");
}
void fetchCertAuthority() {
static const char ca_cert[] PROGMEM = R"EOF(
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
+OkuE6N36B9K
-----END CERTIFICATE-----
)EOF";
static const char client_cert[] PROGMEM = R"EOF(
-----BEGIN CERTIFICATE-----
MIIDWjCCAkKgAwIBAgIVAKAEpMzTvgSj6Cfki29+Bwd2GcxJMA0GCSqGSIb3DQEB
uWjzrmLkeAn4+hsX3w/m48Pw67s5iWEztffx9pXT386SfnBrzrJnHXa5frr6bA==
-----END CERTIFICATE-----
)EOF";
static const char client_key[] PROGMEM = R"KEY(
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAuqHZchnoHXQYOvkN0xViIi9ARmp3y9FLkA7thSbu5pQOedzq
fN5zFHUAMC0ye5pXzZ0rtu5+PrpMsxfXcClx6Dcqiwc1Ug1vI5bWzeI1AviRSM+k
uhdis+by3+AZsbVRujicleG9PaKizWujYvlsOQImqhrX5BcZESadFQ==
-----END RSA PRIVATE KEY-----
)KEY";
BearSSL::WiFiClientSecure client;
BearSSLX509List cert(ca_cert);
client.setTrustAnchors(&cert);
BearSSLX509List client_crt(client_cert);
BearSSLPrivateKey key(client_key);
client.setClientRSACert(&client_crt, &key);
setClock();
fetchURL(&client, host, port, path);
}
void setup(){
Serial.begin(115200);
//Serial.setDebugOutput(true);
Serial.println();
Serial.println();
// We start by connecting to a WiFi network
Serial.print("Connecting to ");
Serial.println(ssid);
WiFi.mode(WIFI_STA);
WiFi.begin(ssid, pass);
while (WiFi.status() != WL_CONNECTED) {
delay(500);
Serial.print(".");
}
Serial.println("");
Serial.println("WiFi connected");
Serial.println("IP address: ");
Serial.println(WiFi.localIP());
fetchCertAuthority();
}
void loop() {
// put your main code here, to run repeatedly:
}Debug Message
I also tried using the code mentioned in the comment above but I keep getting an error
Could you please let me know what buff should actually point to and is it okay to define len any random length? |
|
Your root cert isn't correct, per the error code (the 2nd form would actually copy the text string to a buffer you'd have to create): You need to get the root CA that verifies the azure domain you're connecting to and use that, not the specific cert of the machine handling the connection in their cloud. Use OpenSSL debug mode and you can have it dump the certs as it goes through the supplied chain. |
|
Closing due to user error. |
|
World has changed in 20 years dramatically, we have many salesmen in every group, as in this thread, salesman automatically suggests official certificate, not asking even if a user is willing to use self signed certificate - there is actually no difference in the closed and global system at all from security point of view. |
Why ? You can use self signed as well !!! If you are controlling the server and ESP it is 100% secure |
Basic Infos
Platform
Settings in IDE
Problem Description
I am trying to establish a TLS1.2 connection using BearSSLClientSecure. I have an aws IOT instance running with MQTT as a broker. I have the RootCA.Cert along with clientKey and client certificate with me. I was successfully able to establish a TLS connection using my cellular module BG96 and was able to post data through this. I am using the same certificate to establish a TLS1.2 connection but now with an ESP8266 hardware. I have tried the following code which is mostly a modification of BearSSL_Validation example. I am unable to establish a connection to the same AWS IOT instance. Below is the code that I have tried.
MCVE Sketch
Debug Messages
The text was updated successfully, but these errors were encountered: