New TLS implementation (#1520)

* New TLS implementation Implement TLS to mqtt server thanks to WiFiClientSecure class * New TLS implementation Implement TLS to mqtt server thanks to WiFiClientSecure class * New TLS implementation Implement TLS to mqtt server thanks to WiFiClientSecure class * New TLS implementation Implement TLS to mqtt server thanks to WiFiClientSecure class * Update MyConfig.h Typo * Update GatewayESP8266SecureMQTTClient.ino Typo * MyGatewayTransportMQTTClient.cpp updated Move tls settings to bool gatewayTransportInit(void) * MySensors code styling applied by GIT * Try to fix Doxygen warnings * Doxygen warnings fixed hopefuly * MY_GATEWAY_ESP8266_SECURE doc added * MY_GATEWAY_ESP8266_SECURE doc completed * Avoid platform cross compiling * Replaced spaces indent by tabs * Multilines comments to /*
mysensors · Jul 8, 2022 · 97a70a1 · 97a70a1
1 parent b49817b
commit 97a70a1
Show file tree

Hide file tree

Showing 6 changed files with 524 additions and 30 deletions.
diff --git a/.ci/arduino.groovy b/.ci/arduino.groovy
@@ -51,6 +51,7 @@ def buildMySensorsMicro(config, sketches, String key) {
 		for (sketch = 0; sketch < sketches.size(); sketch++) {
 			if (sketches[sketch].path != config.library_root+'examples/GatewayESP8266/GatewayESP8266.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP8266MQTTClient/GatewayESP8266MQTTClient.ino' &&
+					sketches[sketch].path != config.library_root+'examples/GatewayESP8266SecureMQTTClient/GatewayESP8266SecureMQTTClient.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP8266OTA/GatewayESP8266OTA.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayGSMMQTTClient/GatewayGSMMQTTClient.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP32/GatewayESP32.ino' &&
@@ -87,6 +88,7 @@ def buildMySensorsGw(config, sketches, String key) {
 			if (sketches[sketch].path != config.library_root+'examples/BatteryPoweredSensor/BatteryPoweredSensor.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP8266/GatewayESP8266.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP8266MQTTClient/GatewayESP8266MQTTClient.ino' &&
+					sketches[sketch].path != config.library_root+'examples/GatewayESP8266SecureMQTTClient/GatewayESP8266SecureMQTTClient.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP8266OTA/GatewayESP8266OTA.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayGSMMQTTClient/GatewayGSMMQTTClient.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP32/GatewayESP32.ino' &&
@@ -123,6 +125,7 @@ def buildArduinoUno(config, sketches, String key) {
 		for (sketch = 0; sketch < sketches.size(); sketch++) {
 			if (sketches[sketch].path != config.library_root+'examples/GatewayESP8266/GatewayESP8266.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP8266MQTTClient/GatewayESP8266MQTTClient.ino' &&
+					sketches[sketch].path != config.library_root+'examples/GatewayESP8266SecureMQTTClient/GatewayESP8266SecureMQTTClient.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP8266OTA/GatewayESP8266OTA.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP32/GatewayESP32.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP32OTA/GatewayESP32OTA.ino' &&
@@ -157,6 +160,7 @@ def buildArduinoMega(config, sketches, String key) {
 		for (sketch = 0; sketch < sketches.size(); sketch++) {
 			if (sketches[sketch].path != config.library_root+'examples/GatewayESP8266/GatewayESP8266.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP8266MQTTClient/GatewayESP8266MQTTClient.ino' &&
+					sketches[sketch].path != config.library_root+'examples/GatewayESP8266SecureMQTTClient/GatewayESP8266SecureMQTTClient.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP8266OTA/GatewayESP8266OTA.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP32/GatewayESP32.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP32OTA/GatewayESP32OTA.ino' &&
@@ -191,6 +195,7 @@ def buildSTM32F1(config, sketches, String key) {
 		for (sketch = 0; sketch < sketches.size(); sketch++) {
 			if (sketches[sketch].path != config.library_root+'examples/GatewayESP8266/GatewayESP8266.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP8266MQTTClient/GatewayESP8266MQTTClient.ino' &&
+					sketches[sketch].path != config.library_root+'examples/GatewayESP8266SecureMQTTClient/GatewayESP8266SecureMQTTClient.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP8266OTA/GatewayESP8266OTA.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP32/GatewayESP32.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP32OTA/GatewayESP32OTA.ino' &&
@@ -280,6 +285,7 @@ def buildESP32(config, sketches, String key) {
 					sketches[sketch].path != config.library_root+'examples/GatewayGSMMQTTClient/GatewayGSMMQTTClient.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP8266/GatewayESP8266.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP8266MQTTClient/GatewayESP8266MQTTClient.ino' &&
+					sketches[sketch].path != config.library_root+'examples/GatewayESP8266SecureMQTTClient/GatewayESP8266SecureMQTTClient.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP8266OTA/GatewayESP8266OTA.ino' &&
 					sketches[sketch].path != config.library_root+'examples/SensebenderGatewaySerial/SensebenderGatewaySerial.ino' &&
 					sketches[sketch].path != config.library_root+'examples/MotionSensorRS485/MotionSensorRS485.ino' &&
@@ -316,6 +322,7 @@ def buildnRF5(config, sketches, String key) {
 					sketches[sketch].path != config.library_root+'examples/DustSensorDSM/DustSensorDSM.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP8266/GatewayESP8266.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP8266MQTTClient/GatewayESP8266MQTTClient.ino' &&
+					sketches[sketch].path != config.library_root+'examples/GatewayESP8266SecureMQTTClient/GatewayESP8266SecureMQTTClient.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayGSMMQTTClient/GatewayGSMMQTTClient.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP8266OTA/GatewayESP8266OTA.ino' &&
 					sketches[sketch].path != config.library_root+'examples/GatewayESP32/GatewayESP32.ino' &&
@@ -396,4 +403,4 @@ def buildnRF51822(config, sketches, String key) {
 	}
 }
 
-return this
+return this
diff --git a/MyConfig.h b/MyConfig.h
@@ -1426,6 +1426,8 @@
  * @brief Define this for Ethernet GW based on the ENC28J60 module.
  * @def MY_GATEWAY_ESP8266
  * @brief Define this for Ethernet GW based on the ESP8266.
+ * @def MY_GATEWAY_ESP8266_SECURE
+ * @brief Define this for Ethernet GW based on the ESP8266 with TLS.
  * @def MY_GATEWAY_ESP32
  * @brief Define this for Ethernet GW based on the ESP32.
  * @def MY_GATEWAY_LINUX
@@ -1441,6 +1443,7 @@
 //#define MY_GATEWAY_W5100
 //#define MY_GATEWAY_ENC28J60
 //#define MY_GATEWAY_ESP8266
+//#define MY_GATEWAY_ESP8266_SECURE
 //#define MY_GATEWAY_ESP32
 //#define MY_GATEWAY_LINUX
 //#define MY_GATEWAY_TINYGSM
@@ -1548,29 +1551,79 @@
 //#define MY_MQTT_SUBSCRIBE_TOPIC_PREFIX "mygateway1-in"
 
 /**
- * @def MY_MQTT_CA_CERT
- * @brief Set a specific CA certificate needed to validate MQTT server against. Use the certificate as a trust anchor, accepting remote certificates signed by it.
+ * @def MY_MQTT_CA_CERT1
+ * @brief Up to three root Certificates Authorities could be defined to validate the mqtt server' certificate. The most secure.
+ *
+ * This define is mandatory when you need connect MQTT over SSL/TLS. Certificate Authorities.
+ * The best method to validate server certificates.
+ * Advised to retrieve root Certificate Authorities as they expire less often than server certificates.
+ * With let's encrypt you may need up to three Certificate Authorities
  *
- * This define is mandatory when you need connect MQTT over SSL/TLS.
  * Example: @code
  *
- * const char mqtt_ca_cert[] PROGMEM = R"EOF(
+ * const char cert_isrgrootx1_Authority[] PROGMEM = R"EOF(
  * ----- BEGIN THE CERTIFICATE -----
  * XXX ... XXX
  * ----- FINISH CERTIFICATE -----
  * )EOF";
  *
- * #define MY_MQTT_CA_CERT mqtt_ca_cert
+ * const char cert_isrgrootx2_Authority[] PROGMEM = R"EOF(
+ * ----- BEGIN THE CERTIFICATE -----
+ * XXX ... XXX
+ * ----- FINISH CERTIFICATE -----
+ * )EOF";
+ *
+ * const char cert_letsEncryptR3_Authority[] PROGMEM = R"EOF(
+ * ----- BEGIN THE CERTIFICATE -----
+ * XXX ... XXX
+ * ----- FINISH CERTIFICATE -----
+ * )EOF";
+ *
+ * #define MY_MQTT_CA_CERT1 cert_isrgrootx1_Authority
+ * #define MY_MQTT_CA_CERT2 cert_isrgrootx2_Authority
+ * #define MY_MQTT_CA_CERT3 cert_letsEncryptR3_Authority
+ *
+ * @endcode
+ */
+//#define MY_MQTT_CA_CERT1
+
+/**
+ * @def MY_MQTT_CA_CERT2
+ * @brief Up to three root Certificates Authorities could be defined to validate the mqtt serv.
+*/
+//#define MY_MQTT_CA_CERT2
+
+/**
+ * @def MY_MQTT_CA_CERT3
+ * @brief Up to three root Certificates Authorities could be defined to validate the mqtt serv.
+*/
+//#define MY_MQTT_CA_CERT3
+
+
+/**
+ * @def MY_MQTT_FINGERPRINT
+ * @brief Server certificate validation with its fingerprint
+ *
+ * The finger print to validate the mqtt server certificate. This is less secure and less convenient
+ * than using certificate authorities.
+ * Command (3 lines...) to obtain the certificate finger print:
+ * @code
+ * $>openssl s_client -connect <hostname>:<host port> < /dev/null 2>/dev/null | \
+ *           openssl x509 -fingerprint -noout -in /dev/stdin \
+ *           awk -F= '{print $2}'
+ * @endcode
  *
+ * Example: @code
+ * const char mqtt_fingerprint [] PROGMEM = "CA:CE:2B:MD:D3:32:A3:F1:8C:73:9E:1B:B7:D5:75:4A:10:61:E4:05";
  * @endcode
  */
-//#define MY_MQTT_CA_CERT
+//#define MY_MQTT_FINGERPRINT
 
 /**
  * @def MY_MQTT_CLIENT_CERT
  * @brief Set a client certificate to send to a MQTT server that requests one over TLS connection.
  *
- * This define is mandatory when you need connect MQTT over SSL/TLS.
+ * This define is mandatory when you need connect MQTT over SSL/TLS and client certificate is requested.
  * Example: @code
  *
  * const char mqtt_client_cert[] PROGMEM = R"EOF(
@@ -1587,9 +1640,9 @@
 
 /**
  * @def MY_MQTT_CLIENT_KEY
- * @brief Set a client private key to send to a MQTT server that requests one over TLS connection.
+ * @brief Set the client private key generated with the MY_MQTT_CLIENT_CERT.
  *
- * This define is mandatory when you need connect MQTT over SSL/TLS.
+ * This define is mandatory when you need connect MQTT over SSL/TLS and client certificate is requested.
  * Example: @code
  *
  * const char mqtt_client_key[] PROGMEM = R"EOF(
@@ -2373,7 +2426,10 @@
 #define MY_MQTT_CLIENT_ID
 #define MY_MQTT_PUBLISH_TOPIC_PREFIX
 #define MY_MQTT_SUBSCRIBE_TOPIC_PREFIX
-#define MY_MQTT_CA_CERT
+#define MY_MQTT_CA_CERT1
+#define MY_MQTT_CA_CERT2
+#define MY_MQTT_CA_CERT3
+#define MY_MQTT_FINGERPRINT
 #define MY_MQTT_CLIENT_CERT
 #define MY_MQTT_CLIENT_KEY
 #define MY_SIGNAL_REPORT_ENABLED