From 3518e171a1b7f37378fd3ecdc07665b8456742ff Mon Sep 17 00:00:00 2001 From: Holger Fleischmann Date: Thu, 10 Dec 2020 19:07:28 +0100 Subject: [PATCH] added SSL/TLS support for MQTT --- include/credentials.h | 1 + src/TEMPLATE_secret_credentials.h | 25 +++++++++++++++++++++++++ src/ingest.cpp | 13 ++++++++++++- 3 files changed, 38 insertions(+), 1 deletion(-) diff --git a/include/credentials.h b/include/credentials.h index f8c67c9..321d0c9 100644 --- a/include/credentials.h +++ b/include/credentials.h @@ -7,6 +7,7 @@ extern const char *thingspeakApiKey; extern const char *mqttHost; extern int mqttPort; +extern const char *mqttTlsServerRootCert; extern const char *mqttUser; extern const char *mqttPassword; extern const char *mqttTopic; diff --git a/src/TEMPLATE_secret_credentials.h b/src/TEMPLATE_secret_credentials.h index 2f2f958..b028b5d 100644 --- a/src/TEMPLATE_secret_credentials.h +++ b/src/TEMPLATE_secret_credentials.h @@ -20,6 +20,31 @@ const char *thingspeakApiKey = "MYAPIKEY"; // set host to NULL or empty string to disable MQTT publishing: const char *mqttHost = "my.mqtt.server"; int mqttPort = 1833; +// set MQTT server's root CA cert to NULL or empty string to disable MQTT TLS/SSL: +const char *mqttTlsServerRootCert = R""""( +-----BEGIN CERTIFICATE----- +MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G +A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp +Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1 +MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG +A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL +v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8 +eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq +tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd +C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa +zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB +mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH +V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n +bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG +3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs +J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO +291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS +ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd +AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7 +TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg== +-----END CERTIFICATE----- +)""""; const char *mqttUser = "user"; const char *mqttPassword = "mypassword"; const char *mqttTopic = "home/radioactivity"; diff --git a/src/ingest.cpp b/src/ingest.cpp index 82e0f63..0e40d72 100644 --- a/src/ingest.cpp +++ b/src/ingest.cpp @@ -1,4 +1,5 @@ #include +#include #include #include "GeigerData.h" @@ -8,6 +9,7 @@ const char *thingsPeakUrl = "api.thingspeak.com"; WiFiClient mqttWifiClient; +WiFiClientSecure mqttWifiClientSecure; MQTTClient mqttClient; bool connectWiFi() @@ -149,13 +151,22 @@ bool connectMqtt() if (!mqttClient.connected()) { + const bool tls = mqttTlsServerRootCert != NULL && mqttTlsServerRootCert[0] != 0; Serial.print("Connecting to MQTT host "); Serial.print(mqttHost); Serial.print(":"); Serial.print(mqttPort); Serial.print(" user "); Serial.print(mqttUser); - mqttClient.begin(mqttHost, mqttPort, mqttWifiClient); + if (tls) { + Serial.print(" with TLS "); + mqttWifiClientSecure.setCACert(mqttTlsServerRootCert); + mqttClient.begin(mqttHost, mqttPort, mqttWifiClientSecure); + } else { + Serial.print(" without TLS "); + mqttClient.begin(mqttHost, mqttPort, mqttWifiClient); + } + if (mqttClient.connect("esp32-geiger-counter", mqttUser, mqttPassword)) { Serial.println(" successful");