program esp8266-07 with arduino IDE using mqtt and tls/ssl

[Hoda Erfanian]

hello everybody!
I have a ESP8266-07 module! I want to program it with arduino IDE but I don't wan't to use arduino board and also I want to use MQTT protocol with ssl or tls. I found some library related to what i want but i don't khnow how to use them with arduino IDE! Can anybody help me? Thanks.

[Paul Fremantle]

Hoda

No problem.

The following code snippets will help you.

This is using Nick O'Leary's Arduino MQTT client (http://pubsubclient.knolleary.net/)

#include <ESP8266WiFi.h>

#include <PubSubClient.h>

WiFiClient wifiClient;

WiFiClientSecure secureClient;

PubSubClient mqttclient;

mqttclient = PubSubClient(server, port, callback, secureClient);

success = mqttclient.connect(deviceid, client_id, client_secret);

if (success) {

  boolean verified = secureClient.verify("47:70:1A:5A:61:ED:0C:F4:BE:83:0E:84:34:E9:0D:4A:93:2D:15:A0", "servername");

  Serial.print(verified ? "verified tls!" : "unverified tls");

}

Paul

On 22 September 2016 at 12:49, Hoda Erfanian <h.erfania...@gmail.com> wrote:

hello everybody!
I have a ESP8266-07 module! I want to program it with arduino IDE but I don't wan't to use arduino board and also I want to use MQTT protocol with ssl or tls. I found some library related to what i want but i don't khnow how to use them with arduino IDE! Can anybody help me? Thanks.

--
To learn more about MQTT please visit http://mqtt.org
---
You received this message because you are subscribed to the Google Groups "MQTT" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mqtt+unsubscribe@googlegroups.com.
To post to this group, send email to mq...@googlegroups.com.
Visit this group at https://groups.google.com/group/mqtt.
For more options, visit https://groups.google.com/d/optout.

--

Paul Fremantle

Part-time PhD student - School of Computing

email: paul.fr...@port.ac.uk, pa...@fremantle.org

twitter: pzfreo / skype: paulfremantle / blog: http://pzf.fremantle.org

Co-Founder, WSO2
Apache Member and Committer
07740 199 729

[Hoda Erfanian]

thanks a lot Paul!:)  It's working now:)

On Thursday, September 22, 2016 at 4:18:01 PM UTC+3:30, Paul Fremantle wrote:

Hoda

No problem.

The following code snippets will help you.

This is using Nick O'Leary's Arduino MQTT client (http://pubsubclient.knolleary.net/)

#include <ESP8266WiFi.h>

#include <PubSubClient.h>

WiFiClient wifiClient;

WiFiClientSecure secureClient;

PubSubClient mqttclient;

mqttclient = PubSubClient(server, port, callback, secureClient);

success = mqttclient.connect(deviceid, client_id, client_secret);

if (success) {

  boolean verified = secureClient.verify("47:70:1A:5A:61:ED:0C:F4:BE:83:0E:84:34:E9:0D:4A:93:2D:15:A0", "servername");

  Serial.print(verified ? "verified tls!" : "unverified tls");

}

Paul

On 22 September 2016 at 12:49, Hoda Erfanian <h.erfania...@gmail.com> wrote:

hello everybody!
I have a ESP8266-07 module! I want to program it with arduino IDE but I don't wan't to use arduino board and also I want to use MQTT protocol with ssl or tls. I found some library related to what i want but i don't khnow how to use them with arduino IDE! Can anybody help me? Thanks.

--
To learn more about MQTT please visit http://mqtt.org
---
You received this message because you are subscribed to the Google Groups "MQTT" group.

To unsubscribe from this group and stop receiving emails from it, send an email to mqtt+uns...@googlegroups.com.

To post to this group, send email to mq...@googlegroups.com.
Visit this group at https://groups.google.com/group/mqtt.
For more options, visit https://groups.google.com/d/optout.

[Paul Fremantle]

Super easy huh? I was really impressed.

Paul

To unsubscribe from this group and stop receiving emails from it, send an email to mqtt+unsubscribe@googlegroups.com.

To post to this group, send email to mq...@googlegroups.com.
Visit this group at https://groups.google.com/group/mqtt.
For more options, visit https://groups.google.com/d/optout.

[Amit Katyal]

Hi Paul,

Thanks for the code snippets.

However, I have couple of doubts :-

1. boolean verified = secureClient.verify("47:70:1A:5A:61:ED:0C:F4:BE:83:0E:84:34:E9:0D:4A:93:2D:15:A0", "servername");

   

     You are passing the hash of server certificate to validate the server certificate ?

      I think this will handle the use-case of server authentication. But if my requirement is to authenticate IOT device (ESP8266) so that any IOT device shall not able to connect my server to avoid DOS attack,

      I should install certificate at IOT device side ?

      

      As per my understanding, my requirement can't be addressed by just verifying the server certificate hash because attacker device can always pretend that server certificate is good (w/o validating the hash) and can       establish the connection. Please correct me if my understanding is incorrect.

Thanks and Regards,

Amit

       

     

On Thursday, September 22, 2016 at 6:18:01 PM UTC+5:30, Paul Fremantle wrote:

Hoda

No problem.

The following code snippets will help you.

This is using Nick O'Leary's Arduino MQTT client (http://pubsubclient.knolleary.net/)

#include <ESP8266WiFi.h>

#include <PubSubClient.h>

WiFiClient wifiClient;

WiFiClientSecure secureClient;

PubSubClient mqttclient;

mqttclient = PubSubClient(server, port, callback, secureClient);

success = mqttclient.connect(deviceid, client_id, client_secret);

if (success) {

  boolean verified = secureClient.verify("47:70:1A:5A:61:ED:0C:F4:BE:83:0E:84:34:E9:0D:4A:93:2D:15:A0", "servername");

  Serial.print(verified ? "verified tls!" : "unverified tls");

}

Paul

On 22 September 2016 at 12:49, Hoda Erfanian <h.erfania...@gmail.com> wrote:

hello everybody!
I have a ESP8266-07 module! I want to program it with arduino IDE but I don't wan't to use arduino board and also I want to use MQTT protocol with ssl or tls. I found some library related to what i want but i don't khnow how to use them with arduino IDE! Can anybody help me? Thanks.

--
To learn more about MQTT please visit http://mqtt.org
---
You received this message because you are subscribed to the Google Groups "MQTT" group.

To unsubscribe from this group and stop receiving emails from it, send an email to mqtt+uns...@googlegroups.com.

To post to this group, send email to mq...@googlegroups.com.
Visit this group at https://groups.google.com/group/mqtt.
For more options, visit https://groups.google.com/d/optout.

[Paul Fremantle]

Amit

You are correct, this is only validating the server credentials.

Most web-based systems do not use client-side SSL certificates because of the problems in distributing them. 

In my work, I use OAuth2 tokens to validate the client, which I pass over in the MQTT CONNECT Username/Password fields.

You could also just use a device id and secret as the username and password without invoking OAuth2.

I don't believe that the ESP8266 TLS code supports client certificates, but even if it did, I wouldn't personally use that approach.

If you want more information on the OAuth2 approach, I have an old paper here and I'm just preparing a new one:

https://www.researchgate.net/publication/264347555_Federated_Identity_and_Access_Management_for_the_Internet_of_Things

Paul

To unsubscribe from this group and stop receiving emails from it, send an email to mqtt+unsubscribe@googlegroups.com.

To post to this group, send email to mq...@googlegroups.com.
Visit this group at https://groups.google.com/group/mqtt.
For more options, visit https://groups.google.com/d/optout.

[Amit Katyal]

Thanks Paul for your quick reply !!

I am open for any approach if it can provide client side authentication and easy to implement.

Are you suggesting to use server certificates for server authentication and device ID, username and password for client authentication ?.

As per your suggestion, once server is authenticated by IOT device, communication between IOT device and server will be secure as a result client authentication will be secure because deviceID, username and password will be encrypted and sent to the server.  So even if the attacker will try to establish the connection will my server, attacker can ignore server validation but it will not be able to proceed further because of client authentication failure (as attacker will not be aware of deviceID, username and password) ?. If so, can it still result into DOS attack because we are allowing SSL handshake to succeed (which means TCP handshake will be done) but client authentication will fail. Is there any existing mechanism to throttle SSL handle shake.

Please correct me if my understanding is incorrect.

[Paul Fremantle]

Amit

You have got it exactly.

The approach that I have for handling the DOS attack is that I handle the OAuth2 token validation, the topic permissions and authorization checks and the SSL termination in a separate gateway called IGNITE. The result is that I can scale this independently of the backend MQTT server. 

I personally don't think there is much difference in handling the DOS attack at the SSL level or on the incoming MQTT Connect, unless you have dedicated TLS hardware, which in my cases I don't. However, I haven't done any empirical study of this, so I could be wrong.

Best

Paul

To unsubscribe from this group and stop receiving emails from it, send an email to mqtt+unsubscribe@googlegroups.com.

To post to this group, send email to mq...@googlegroups.com.
Visit this group at https://groups.google.com/group/mqtt.
For more options, visit https://groups.google.com/d/optout.

[Amit Katyal]

Thanks Paul !!

To conclude, server authentication and client authentication (using device ID, username and password) should be good enough to make sure that attacker will not able to connect my server hosting mqtt broker if client details (deviceID, username and password) are not compromised.

Regards,

Amit Katyal