SSLClientParameters mTLS not at beginning but at runtime

[simogaspa84]

Hi @khoih-prog ..

I hope you are fine and well.
I have already tried your lib and it is working well but i have the need to call this istruction..

SSLClientParameters mTLS = SSLClientParameters::fromPEM(my_cert, sizeof my_cert, my_key, sizeof my_key);

not at the beginning of the module but at runtime inside another function.

I explain you why i need to do this it is because i want to read from a txt file the certificates and keys for the connection instead of change the code manually for every device that is deployed.

But when i try to do this

uint8_t setup_ethernet(void)
{
  uint8_t result_connection = 0;

  /*retrieve security info for aws from memory*/
  Load_secrets_from_memory();

  SSLClientParameters mTLS = SSLClientParameters::fromPEM(my_cert, sizeof my_cert, my_key, sizeof my_key);

  /*authentication on aws*/
  ethClientSSL.setMutualAuthParams(mTLS);

  Ethernet.init(ETH_CS, &ethernetSPI, ETH_SCLK, ETH_MISO, ETH_MOSI);
  Serial.begin(115200);
  while (!Serial)
  {
    ; // wait for serial port to connect. Needed for native USB port only
  }
  Ethernet.begin(mac, TIME_OUT_WAITING_ETH_CABLE);
  // Check for Ethernet hardware present
  if (Ethernet.hardwareStatus() == EthernetNoHardware)
  {

    result_connection = 1;
    Serial.println("Ethernet shield was not found.  Sorry, can't run without hardware. :(");

    while (true)
    {
      delay(1); // do nothing, no point running without Ethernet hardware
    }
  }
  if (Ethernet.linkStatus() == LinkOFF)
  {
    result_connection = 1;
    Serial.println("Ethernet cable is not connected.");
  }

  Serial.print("Joined LAN with IP ");
  Serial.println(Ethernet.localIP());
  Serial.flush();

  setup_time();

  // Create a message handler
  mqtt_istance.setCallback(callback);

  return result_connection;
}

my esp32 is crashing and restarting..

I wonder if in your opinion it is possible to call that instruction once i have read the txt file..

Thanks a lot for your help

[khoih-prog]

HI @simogaspa84

Have a look at the solution in Dynamic Certificates #34.

I also wonder why you have to go the hard way, as ESP32 already have all the latest Root CA Certs stored inside the core firmware.

For other boards, adapt the ESP solution to store and use the Root CA Certs, not the individual Certs of every site.

You also must implement OTA to update the on-the-field device as the CA certs would expire every several years.

I'm afraid I won't have time to help you here. Try to do more research yourself.

Good Luck,

[simogaspa84]

Hi @khoih-prog the point is not to store every cert for every site... The point is that that when you work with aws and you create a device for communicating with the cloud with mqtts.. every device created on aws portal has a different device certificate and a different private key for encryption.
So so for deploying many devices we have to store quickly the device certificates and key for each iot board.
I cannot ask to change manually the code for every device that is deployed so it is better and faster to load in the spiff of the esp32 all the secrets and then run time read the memory and creare the mTLS object.

[khoih-prog]

Another suggestion for you, as you're using ESP32 + Ethernet, is to use my brand-new LwIP-based libraries

1. WebServer_ESP32_W5500 for ESP32
2. WebServer_ESP32_ENC for ESP32
3. WebServer_ESP32_SC_W5500 for ESP32S2/S3/C3
4. WebServer_ESP32_SC_ENC for ESP32S2/S3/C3

with these following benefits

1. Ability to use Async in the future
2. Ability to use ESP32-built-in TLS/SSL of WiFi library and the core. You don't need to use this cumbersome EthernetWebServer_SSL, designed for boards other than ESP32/ESP8266

The Root CA Certs are already included / updated in the core, and you don't need to use the old way to get individual SSL Certs for each site. So every board can use the same firmware, you don't need to modify for each board.

Try first to use WiFi SSL to be familiar with the powerful feature, before using Ethernet. The steps to move to Ethernet, from WiFi, is very simple and easy.

Also check these libraries, based on those

1. AsyncWebServer_ESP32_ENC
2. AsyncWebServer_ESP32_W5500
3. AsyncWebServer_ESP32_SC_ENC
4. AsyncWebServer_ESP32_SC_W5500

and many more for you to test

[simogaspa84]

hi @khoih-prog thanks for sharing your new libs... I cannot wait them to test them in my project... I
I don't see issues for mqtt + tls for connection with aws (wifi and ethernet)... Am I wrong?
Thanks a lot and happy holidays

[khoih-prog]

every device created on aws portal has a different device certificate and a different private key for encryption.

It seems that you can use something such as

1. AsyncESP32_Ethernet_Manager and Async_ConfigOnSwitchFS example
2. ESPAsync_WiFiManager and Async_ConfigOnDRD_FS_MQTT_Ptr_Complex example

and user can modify the Credentials on-the-fly