Is there any support for HTTPS (SSL) in esp8266?

[jmiguels]

I have a domotic project and I want to access from the internet in a secure way. Currently I am using HTTP just for testing.
I have a gateway between internet and my RF24 home network buided using a WEMOS.

Is there any support for HTTPS (SSL) in esp8266?
Can anyone help me with the correct library to use?

Thanks in advance

jmiguels

[olileger]

Hi

Fortunately you could use the WiFiClientSecure class instead of the WiFiClient one.
This should allow you to connect to a secure endpoint and to check the certificate thumbprint by using the verify function.

Olivier.

[bebo-dot-dev]

@jmiguels when you say:

"I want to access from the internet in a secure way"

..are you saying you're running a HTTP server on your widget and you want to run it as HTTPS / over TLS to enable you to access it securely from a client over the internet?

[jmiguels]

Thank you Olivier (olileger) and jjssoftware for your reactions to my post,
What I am running in my WEMOS device is a web server and I want to access from the Internet using my App (client). Intead of accessing from my App (or from a browser) via HTTP I want to access to my server via HTTPS.
This is my issue at this moment.

Best regards
José Miguel Santos

[bebo-dot-dev]

ok cool that's clear thanks, please see open issue #1740

There is TLS support built into ESPAsyncTCP which would suggest that ESPAsyncWebServer also has TLS support since it's built on ESPAsyncTCP. I must say I've no experience of implementing either of these so I'm unable to comment on stability. @me-no-dev might have more info about how to get this going / if it's possible.

Another option might be to stick with HTTP but offload TLS onto some other box / device external to your WEMOS device. This option does sort of swerve the problem completely but it does work and it's also stable. If this sounds like a viable option, take a look here:

• https://jjssoftware.github.io/secure-your-esp8266/
• https://jjssoftware.github.io/esp8266-password-complexify/

[me-no-dev]

I do not recommend using TLS in a server. While I have it implemented and working in my async libs, it's turned off by default and requires a define switch in ESPAsyncTCP to turn TLS on. What I can tell you is that it's not at all possible to serve more than one client at a time because the ESP does not have enough memory and you will get into trouble quite fast. I have even artificially limited the clients that get handled by the server to one if TLS is on.

[bebo-dot-dev]

@me-no-dev thanks for that, it sounds limited but great work nonetheless. Perhaps TLS offload to some other box/device is indeed the best option to solve this problem. It's what I do anyway ;)

[olileger]

thanks for these clarification.
In that case my suggestion is out of scope as I was considering you trying to reach a TLS endpoint from your WeMoS.

+1 for offloading SSL from a public endpoint exposed by your network. You should also implement a little bit of routing (port forwarding, path-based routing...depending on your needs).
You could easily do this using a layer 7 load balancer/reverse proxy like HAProxy or NGinx.

Olivier.

[me-no-dev]

I personally do it with nginx :) If you need only one client to connect to remote SSL endpoint (that is not ESP8266), you can surely use TLS directly on the device, but still lots of memory will be eaten and you could easily trigger WDT or memory issue

[bebo-dot-dev]

nginx FTW!

[jmiguels]

Thank you Joe Lippa for your article about nginx!
I am a little disappointed since I thought I would be able to implement all this in my WEMOS (a little naïf too…), anyway I will try to run nginx probably in my Raspberry Pi since it is a nice workaround to this issue.
Thanks to all contributors
Regards
José Miguel Santos

[bebo-dot-dev]

You're welcome I hope it helps.

As an aside but sort of related, I've seen wdt reset issues when attempting to use WifiClientSecure to make secure outbound calls in the past and I'm sure the problems I saw were related to being right at the edge of available heap memory on my ESP12.

Everything TLS related seems to be right on the edge of being able to work reliably on the ESP8266. I hope we'll get there one day with the ESP32 :)

[davisonja]

Interestingly I've just run into issues with outbound secure calls. Looked like memory corruption in the heap and only appeared when the code started 'doing more' (I've got it running perfectly happily on a simple task)

[devyte]

Closing due to off-topic (question instead of issue).

[rickyzhang82]

@me-no-dev Thanks for you work. But I checked ESP32 implementation. I don't see SSL enabled even it is considered more powerful chip than ESP8266. Any reason why? Thanks!

[Misiu]

@me-no-dev any hints about that? I'm considering ESP32 for next project because it is more powerful, but if TLS support is same as ESP8266 then I'll stay with ESP8266.

[igrr]

Since the time this issue was opened, some things have changed. ESP8266 Arduino includes BearSSL library, which is much more feature complete than axTLS. It is also more robust because it doesn't rely on heap memory allocations. If you don't have enough memory to handle the request, it will fail gracefully instead of panic-ing. Please check the included BearSLL based examples, client and server side.

ESP32 Arduino uses mbedTLS library which is also very feature complete and regularly updated.

[Misiu]

@igrr thanks for quick update.
I'll definitively look into those samples :)

[jmiguels]

Thanks Ivan! I will take a look at that library.

[mehotkhan]

read this :
cwi-dis/iotsa#27

[rucko24]

nginx FTW!

https://bebo-dot-dev.github.io/secure-your-esp8266/