Using TLS V1.2 on ESP8266

If you are, as I am, kind of paranoid about security and find most Arduino like tutorials substantially insecure, this tutorial is for you.

I've checked every corner of the internet looking for a ESP8266 SDK supporting TLS v1.2, for a minimum security on my "things". The only one that really worked for me was Super House SDK based on FreeRTOS that provides a widely range of libraries, including mbedTLS.

In order to learn something useful and fun, I thought of tweeting something from the ESP (yes, I know... there is plenty of libraries for that, but are they using a secure channel?).

For this tutorial we will need:

• ESP8266 (I'm using Adafruit Feather Huzzah)
• A twitter account
• Thing Speak Account

We'll use ThingTweet from ThingSpeak API, you can create an account free of charge. It has some limits on the usage, but for your home projects it will serve.

First of all, install the SDK by following the instructions on SupeHouse Github.

Enter the SDK root directory (mine was /opt/Espressif/esp-open-rtos) and test the installation by flashing one of the many examples, I suggest “blink”:

$ make flash -j4 -C examples/blink ESPPORT=/dev/ttyUSB0

If everything goes well, you'll see the success messages on the terminal, and as soon as it ends flashing the ESP should start the program.

A common issue here is regarding USB port permissions, in case change its owner:

$ chown -R your_user:your_group /dev/ttyUSB0

Let's first get the certificates from the server we want to connect to, using openssl command:

$ openssl s_client -showcerts -connect api.thingspeak.com:443

The CA cert is the last cert in the chain output by the server.

For this tutorial I simply made a copy of http_get_mbedtls on examples folder, and created another folder also in examples folder, and changed the following parameters:

#define WEB_SERVER "api.thingspeak.com"

#define WEB_PORT "443"

#define WEB_URL "https://api.thingspeak.com/apps/thingtweet/1/statuses/update?api_key=YOUR_API_KEY&status=YOUR_MESSAGE"

#define WIFI_SSID "YOUR_SSID"
#define WIFI_PASS "YOUR_PASSWORD"

On the file cert.c I edited the server_root_ca variable to add the server certificate we collected on step 3.

That's pretty much it, the code is self explaining with comments.

Now we just make the project and flash it on ESP8266 using the command on Step 2 (Don't forget the change the folder from blink to yours).