OpenBK7231T_App icon indicating copy to clipboard operation
OpenBK7231T_App copied to clipboard

Published 20 hours ago verified publisher icon openshwprojects

Mqtt-mbedtls

Open alexsandroz opened this issue 1 year ago • 15 comments

Enable mqtt with TLS

This pull contains specific configuration for enable mbedtls with mqtt. Due to environment limitations there is only one version of TSL and only one cipher enabled: TSL VERSION: TLSv1.2 TSL CIPHER : TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 This is a common configuration supported by the mosquitto MQTT server

Tested only with LWIP MQTT client application on BK7231N platform. It's possible that it will also work on other platforms, but I don't have specific hardware to test.

The web server MQTT page has been updated to specify whether MQTT uses TSL and if the certificate needs to be validated. The CA certificate or public certificate (in case of self-signed) must be uploaded in PEM format to LFS To validate the certificate dates, the NTP driver must be enabled, otherwise the build date will be used to validate.

Additionally, an option to disable the web app has been added to strengthen security. Communication only with secure mqtt connection.

Address: #668 Is it able to support mqtt connection via TLS (secure connection) on remote MQTT server such as AWS broker ? #759 Self-Signed MQTT Server Connection Fails

alexsandroz avatar Oct 29 '23 20:10 alexsandroz

Thank you, this will certainly be merged, but first, what is the memory impact of using this TLS library? Is there already present a mechanism to simply enable or disable it entirely?

I am planning to alter online builds system to publish different versions of OBK, permutations with different features enabled, and that one could be one of the permutations

openshwprojects avatar Oct 29 '23 22:10 openshwprojects

Thank you, this will certainly be merged, but first, what is the memory impact of using this TLS library? Is there already present a mechanism to simply enable or disable it entirely?

I am planning to alter online builds system to publish different versions of OBK, permutations with different features enabled, and that one could be one of the permutations

The impact on memory I believe is acceptable. There are around 11k of memory with certificate validation. Only 8k if you don't validate the certificate. There is a configuration parameter CFG_USE_MQTT_TLS in components.mk that fully enables or disables the function in the compilation.

alexsandroz avatar Oct 30 '23 01:10 alexsandroz

Can you change booleans in config to bytes, or maybe even put them two into one byte? The sizeof bool is 4 on Windows: image So it currently breaks Windows build

openshwprojects avatar Oct 30 '23 07:10 openshwprojects

Can you change booleans in config to bytes, or maybe even put them two into one byte? The sizeof bool is 4 on Windows: image So it currently breaks Windows build

Done. Changed to byte and added some documentation.

alexsandroz avatar Oct 30 '23 13:10 alexsandroz

Ok, let me review it a bit more. And also - I don't know much about TLS implementation, but does it mean that we could also be able to make a HTTPS connections? How much is missing for that? You know, we have SendGET / SendPOST functions

openshwprojects avatar Oct 30 '23 17:10 openshwprojects

Ok, let me review it a bit more. And also - I don't know much about TLS implementation, but does it mean that we could also be able to make a HTTPS connections? How much is missing for that? You know, we have SendGET / SendPOST functions

Yes, it is possible. The limitation is the available memory. For each connection to a new service, it is necessary to make a new handshake and maintain the TLS session.

alexsandroz avatar Oct 30 '23 18:10 alexsandroz

Hello, is autoexec.bat on LittleFS preserved when you do OTA?

openshwprojects avatar Nov 01 '23 21:11 openshwprojects

Hello, is autoexec.bat on LittleFS preserved when you do OTA?

I tested it now and had no problems with existing files. I don't know the size of the file system, but if the certificate is very large it could be the cause of the problem. The certificate I use has 2k bytes.

alexsandroz avatar Nov 01 '23 22:11 alexsandroz

Would be possible to add client certificates as well?

mihaimacarie98 avatar Nov 18 '23 00:11 mihaimacarie98

Create a file in LFS. Paste the certificate contents in PEM format into it. Specify the file name in the mqtt web interface configuration.

alexsandroz avatar Nov 20 '23 02:11 alexsandroz

Guys can anyone do the final testing of this PR on T and N platforms? I would like to have it merged soon but I didn't have time to look into whole secure MQTT yet. Anyone?

Also, please merge changes @alexsandroz from upstream if you can

openshwprojects avatar Mar 23 '24 16:03 openshwprojects

Also, please merge changes @alexsandroz from upstream if you can

merge done

alexsandroz avatar Mar 24 '24 01:03 alexsandroz

Not sure how helpful this is but I tested it on my Geeni Outdoor Duo plug GNC-OW102-103. Which has a Tuya CB3S Module (BK7231N). I connect to mosquitto running on a router. I merged it into c07f66f3 and compiled. It works like a charm.

Thanks this is the last step I needed to be able to use OpenBK7231T_App on my network.

protectivedad avatar Mar 27 '24 22:03 protectivedad

Can someone publish builds with latest changes on main? Would like to test for N and cannot build myself, to many conflicts.

ermech avatar Apr 20 '24 04:04 ermech

Can someone publish builds with latest changes on main? Would like to test for N and cannot build myself, to many conflicts.

merge with main done

alexsandroz avatar Apr 27 '24 18:04 alexsandroz