Garage Door Opener – So, the ESP8266 does support TLSv1.2
I was digging around the ESP8266 github page, as there was an announcement that it now supports CA verification (it ALMOST does – there was a regression bug that means it’s still not working), but I noticed that the last release (2.3.0 at time of writing) is actually quite old – it was released in June.
I was going through recent commit messages, and noticed there had been quite a bit of work around integrating axTLS, which is a tiny TLS library specifically designed for computers with small memory footprints (AKA microcontrollers).
This piqued my interest.
It has been said that the ESP8266 doesn’t support TLSv1.2, because of a buggy implementation in the firmware, which I had verified earlier in testing and hence configuring MQTT to force TLSv1.1.
By including axTLS as part of the Arduino library, and not relying on the ESP8266 API, I wondered if TLS1.2 was now supported.
Turns out it is!
It does mean we’ll have to use a “unstable” version of ESP8266 library. This means other stuff might not work, we need to install it using git, and it’s up to us to keep everything up to day.
Thankfully, it isn’t that difficult to install the library using git.
First, remove the existing ESP8266 library using the board manager – find it using the search function, then hit remove.
Now, you can manually install – Instructions are here. Don’t forget to re-select the right board and to set the CPU frequency to 160Mhz!
Now, that regression bug. It stops client certificates being sent for verification, which is bad for us, so we’ll need to roll back a couple of commits. To do that:
cd ~/Arduino/hardware/esp8266com/esp8266
git checkout -b pre-axtls-2 d6e38f0abd2e1bf796a32e8b1a24d37fdc7daaf8
This creates a new branch based on an older revision that seems to still work ok.
Modify mosquitto to use TLSv1.2
This one’s pretty easy: Remove the tls_version line
#tls_version tlsv1.1
Then remove
"--tls-version", "tlsv1.1",
from both mosquitto-client/Dockerfile.pub and mosquitto-client/Dockerfile.sub.
Run
docker-compose build
and start the server with
docker-compose up
You should see “Hello world” in there somewhere. Next up, the Arduino side of things…