Introduction: Using TLS V1.2 on ESP8266
If you are, as I am, kind of paranoid about security and find most Arduino like tutorials substantially insecure, this tutorial is for you.
I've checked every corner of the internet looking for a ESP8266 SDK supporting TLS v1.2, for a minimum security on my "things". The only one that really worked for me was Super House SDK based on FreeRTOS that provides a widely range of libraries, including mbedTLS.
In order to learn something useful and fun, I thought of tweeting something from the ESP (yes, I know... there is plenty of libraries for that, but are they using a secure channel?).
For this tutorial we will need:
- ESP8266 (I'm using Adafruit Feather Huzzah)
- A twitter account
- Thing Speak Account
Step 1: Install Super House Esp-open-rtos
First of all, install the SDK by following the instructions on SupeHouse Github.
Enter the SDK root directory (mine was /opt/Espressif/esp-open-rtos) and test the installation by flashing one of the many examples, I suggest “blink”:
$ make flash -j4 -C examples/blink ESPPORT=/dev/ttyUSB0
If everything goes well, you'll see the success messages on the terminal, and as soon as it ends flashing the ESP should start the program.
A common issue here is regarding USB port permissions, in case change its owner:
$ chown -R your_user:your_group /dev/ttyUSB0
Step 2: Get the Server Certificate
Let's first get the certificates from the server we want to connect to, using openssl command:
$ openssl s_client -showcerts -connect api.thingspeak.com:443
The CA cert is the last cert in the chain output by the server.
Step 3: Coding
For this tutorial I simply made a copy of http_get_mbedtls on examples folder, and created another folder also in examples folder, and changed the following parameters:
#define WEB_SERVER "api.thingspeak.com"
#define WEB_PORT "443"
#define WEB_URL "https://api.thingspeak.com/apps/thingtweet/1/statuses/update?api_key=YOUR_API_KEY&status=YOUR_MESSAGE"
#define WIFI_SSID "YOUR_SSID"
#define WIFI_PASS "YOUR_PASSWORD"
On the file cert.c I edited the server_root_ca variable to add the server certificate we collected on step 3.
That's pretty much it, the code is self explaining with comments.
Now we just make the project and flash it on ESP8266 using the command on Step 2 (Don't forget the change the folder from blink to yours).