laitimes
return

Explain ESP32 SSL/TLS applications

author:Yibaite Internet of Things application

Introduction to SSL/TLS

The SSL protocol works between the transport layer and the application layer protocol to provide security support for data communication. TLS 1.0 is a new protocol developed by the Internet Engineering Task Force (IETF), which is based on the SSL 3.0 protocol specification.

The main services provided by the SSL/TLS protocol are:

(1) Authenticate the client and server to ensure the legitimacy of the data sending and receiving objects;

(2) encrypt data to ensure the integrity of the packet;

(3) Ensure the correctness of the data and avoid data tampering during transmission.

Key Negotiation Process - TLS Handshake

Explain ESP32 SSL/TLS applications

1ClientHello

During the TLS handshake phase, the client first provides the following information to the server:

(1) Supported protocol versions, such as TLS 1.1

(2) Client-generated random numbers

(3) Encryption methods supported by the client, such as DES, 3DES, AES, etc

(4) Supported compression methods

2 Server Response (SeverHello)

After the server receives the client Hello from the client, the server's response contains the following content:

(1) Determine the TLS protocol version that needs to be used in the subsequent communication process

(2) A random number generated by a server that is later used to generate a "conversation key"

(3) Server-generated random numbers

(4) Server certificate

3 客户端回应(Certificate Verify)

(1)Client Key Exchange

If the server needs to verify the client, after the client receives the server Hello message from the server, it needs to send the client's certificate to the server and ask the server to verify the legitimacy of the client.

(2)Certificate Verify

Next, the client needs to check the server's certificate, and then send the following three pieces of information to the server:

(1) A random number encrypted with the server's public key

(2) Notification of encoding change, indicating that subsequent messages will be sent with an encryption method and key agreed upon by both parties

(3) Notification of the completion of the client handshake (i.e., the hash value of all previous communication contents)

4 Server Finish

The server will use the negotiated key to encrypt a finish message and send it to the client, and if the client can parse it correctly, the negotiation will be successful, and the subsequent application layer data can be sent and received normally.

5. Application Data Transfer

Once all the handshake phases are complete, it's time to start transferring the app data.

Create an SSL/TLS project on ESP32

You can refer to IDF's example projects such as "https_mbedtls" and "mqtt_ssl_example_test".

In the process of TLS connection, the application layer development needs to focus on the following:

(1) CA certificate, TLS needs to use the certificate of the server's certificate issuing authority (CA) (i.e., the root certificate) when verifying the server certificate, the certificate is the certificate issued by the CA itself, and the certificate is issued to the server through the certificate, and the client verifies the certificate issued by the server through the root certificate. The browser has a built-in root certificate chain, so we don't need to manually add certificates when surfing the Internet through the browser. ESP32 can optionally compile the SDK's built-in root certificate chain into the program, so that you don't need to specify the root certificate when facing most servers, but if you want to add or update the certificate, you need to download a new root certificate bundle and compile it before the updater can replace it. You can also configure the CA certificate of the destination server.

(2) Client certificate and public key, if you want to use TLS two-way authentication, you need to issue the client certificate and client public key from the server, if the server wants to verify the client certificate in ESP32, you only need to fill in the certificate and key generated by the server for the client in the corresponding position of the TLS library.

What needs to be added about SSL/TLS for ESP32 is:

(1) crt_bundle_attach and esp_crt_bundle_attach, when initializing the esp_tls_cfg_t structure, if the function of the crt_bundle_attach is set to esp_crt_bundle_ attach, the TLS library will find and verify the server certificate from the CA bundle compiled into the code area, without the need to manually set it, please refer to the Espressif System manual for details (if you use the certificate bundle, the program will be about 60k larger)

esp_tls_cfg_t cfg = {

.clientcert_buf = (const unsigned char *) client_cert_pem_start,

.clientcert_bytes = sizeof(client_cert_pem_start),

.clientkey_buf = client_key_cert_pem_start,

.clientkey_bytes = sizeof(client_key_cert_pem_start),

.crt_bundle_attach = esp_crt_bundle_attach,

};

(2)若要跳过服务器证书验证,通过 idf.py menuconfig 配置使能 Component config->ESP-TLS->[*] Allow potentially insecure options->[*] Skip server ... ,并且 tls config 结构体中去掉 cert_pem 证书。

(3) Two-way certificate verification of HTTPS, with the issue of self-signed certificates.

(1) The server needs to be configured with a trusted certificate;

(2) The client's certificate needs to be self-signed by the client and generate a certificate and key for the client;

(3) skip_common_name, you can skip the verification of the "CN" field of the server certificate, if you enable this setting, it may be helpful for the server self-certificate.

Serial Server_Data Transmission Radio_4G DTU_ Remote Control Switch_LoRa/ZigBee/WiFi/Bluetooth Module-Chengdu Yibaite Electronic Technology Co., Ltd

Previous: What kind of super unpopular job have you ever done?Netizen: I went to Antarctica to help penguins for 30,000 yuan in January, and I was shocked
Next: Text Wallpaper Issue 800