Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add setSSLVersion call to SSL object #7920

Merged
merged 4 commits into from
Mar 15, 2021
Merged

Add setSSLVersion call to SSL object #7920

merged 4 commits into from
Mar 15, 2021

Conversation

earlephilhower
Copy link
Collaborator

Allow users to only allow specific TLS versions for connections with an
additional call in their app, similar to the setCiphers call.

Fixes #7918

@earlephilhower
Add setSSLVersion call to SSL object
70c8172 
Allow users to only allow specific TLS versions for connections with an
additional call in their app, similar to the setCiphers call.

Fixes esp8266#7918
@manolodd
Copy link
Contributor

Wow!!!

I was working on it (having some trouble installing the Git version in the IDE) and you solved it in a moment, hehe.

Thank you very much, it is a very useful feature to not depend on the TLS configuration of the remote server and to be able to specify TLS 1.2 as the only option from the client.

@earlephilhower
Copy link
Collaborator Author

Can you verify it with your own test and report back? I've done quick things w/curl, but a 2nd-hand report is always useful!

@manolodd
Copy link
Contributor

Umm, apparently it fails!

/home/manolodd/Desarrollo/Arduino/NodemcuWifiMQTTTLStls12_5/NodemcuWifiMQTTTLStls12_5.ino: In function 'void setupMQTT()':
NodemcuWifiMQTTTLStls12_5:235:17: error: 'class BearSSL::WiFiClientSecure' has no member named 'setSSLVersion'; did you mean 'setSession'?
235 | tlsConnection.setSSLVersion(BR_TLS12, BR_TLS12);
| ^~~~~~~~~~~~~
| setSession
exit status 1
'class BearSSL::WiFiClientSecure' has no member named 'setSSLVersion'; did you mean 'setSession'?

If I add the following method

bool setSSLVersion(uint32_t min = BR_TLS10, uint32_t max = BR_TLS12) { return setSSLVersion(min, max); };

to class WiFiClientSecure : public WiFiClient (is missing)

then everything compiles, but once flashed to my NodeMCU it throws an exception.

My mosquitto is running only TLS 1.2

nmap --script ssl-enum-ciphers -p 8883 localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2021-03-12 21:59 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00022s latency).
Other addresses for localhost (not scanned): ::1

PORT STATE SERVICE
8883/tcp open secure-mqtt
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A

And without trying to set the TLS version with the new method, my sketch works fine, so It uses TLS 1.2.

I need to do some additional tests.

@manolodd
Copy link
Contributor

stack>>>

ctx: cont
sp: 3ffffdd0 end: 3fffffc0 offset: 01a0
3fffff70: 3fffdad0 3ffeeb68 3ffeecb0 402026f2
3fffff80: 3fffdad0 3ffeeb68 3ffeecb0 40202a0a
3fffff90: 00000000 0018001f 00000000 feefeffe
3fffffa0: feefeffe feefeffe feefeffe 40207430
3fffffb0: feefeffe feefeffe 3ffe8648 40100c35
<<<stack<<<

--------------- CUT HERE FOR EXCEPTION DECODER ---------------

ets Jan 8 2013,rst cause:2, boot mode:(3,6)

load 0x4010f000, len 3460, room 16
tail 4
chksum 0xcc
load 0x3fff20b8, len 40, room 4
tail 4
chksum 0xc9
csum 0xc9
v000636c0
~ld

@manolodd
Copy link
Contributor

My fault!!!

I forgot the "_ctx->" in

bool setSSLVersion(uint32_t min = BR_TLS10, uint32_t max = BR_TLS12) { return _ctx->setSSLVersion(min, max); };

You only have to add this method to class WiFiClientSecure : public WiFiClient and everything seems to work fine:

Conectando 8C:AA:B5:7C:82:B4 a la red WiFi MEREET...¡Conectado!
Configurando hora vía NTP.¡Configurada!
Conectando al broker MQTT con TLS 1.2...¡Conectado al broker MQTT!
Suscribiendose al topic devices/todevice/nodemcu-8CAAB57C82B4...¡Suscrito al topic!
Publicando [Fri Mar 12 22:11:57 2021] en devices/uptime/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:12:02 2021] en devices/fromdevice/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:11:57 2021] en devices/uptime/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:12:12 2021] en devices/fromdevice/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:11:57 2021] en devices/uptime/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:12:22 2021] en devices/fromdevice/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:11:57 2021] en devices/uptime/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:12:32 2021] en devices/fromdevice/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:11:57 2021] en devices/uptime/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:12:42 2021] en devices/fromdevice/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:11:57 2021] en devices/uptime/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:12:52 2021] en devices/fromdevice/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:11:57 2021] en devices/uptime/nodemcu-8CAAB57C82B4...¡Publicado!
Publicando [Fri Mar 12 22:13:02 2021] en devices/fromdevice/nodemcu-8CAAB57C82B4...¡Publicado!
[...]

So... simply add this method!

Thank you so much.

@earlephilhower earlephilhower added this to the 3.0.0 milestone Mar 12, 2021
@earlephilhower earlephilhower removed this from the 3.0.0 milestone Mar 15, 2021
@earlephilhower earlephilhower changed the title Add setSSLVersion call to SSL object WIP - Add setSSLVersion call to SSL object Mar 15, 2021
@earlephilhower
Copy link
Collaborator Author

An equivalent option for the WiFiServerSecure should also be made available. Pushing past 3.0.0

@earlephilhower earlephilhower changed the title WIP - Add setSSLVersion call to SSL object Add setSSLVersion call to SSL object Mar 15, 2021
@earlephilhower earlephilhower merged commit 7475ba7 into esp8266:master Mar 15, 2021
@manolodd manolodd mentioned this pull request Mar 15, 2021
Merged
@earlephilhower earlephilhower deleted the tlslimit branch March 16, 2021 03:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Limitting to TLS 1.2
2 participants
@earlephilhower @manolodd