Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The examples/protocols/mqtt/ssl demo cannot use TLS 1.3 to connect with MQTT broker. (IDFGH-13029) #13975

Open
robbinlu-ayla opened this issue Jun 14, 2024 · 11 comments
Open

The examples/protocols/mqtt/ssl demo cannot use TLS 1.3 to connect with MQTT broker. (IDFGH-13029) #13975

robbinlu-ayla opened this issue Jun 14, 2024 · 11 comments
Labels
Status: Reviewing Issue is being reviewed

Comments

@robbinlu-ayla
Copy link

I enabled TLS 1.3 via menuconfig for examples/protocols/mqtt/ssl demo in IDF 5.2.1 SDK, but the ssl demo still used TLS 1.2 to connect with MQTT broker. I attached 2 packet data screenshot, please help to find what is the issue? how to enable TLS1.3 in IDF 5.2.1 SDK?
ClientHello
ServerHello
@espressif-bot espressif-bot added the Status: Opened Issue is new label Jun 14, 2024
@github-actions github-actions bot changed the title The examples/protocols/mqtt/ssl demo cannot use TLS 1.3 to connect with MQTT broker. The examples/protocols/mqtt/ssl demo cannot use TLS 1.3 to connect with MQTT broker. (IDFGH-13029) Jun 14, 2024
@espressif-bot espressif-bot added Status: In Progress Work is in progress and removed Status: Opened Issue is new labels Jun 17, 2024
@euripedesrocha
Copy link
Collaborator

Hi @robbinlu-ayla thanks for reporting.
The issue here is that the version should be set through the transport layer and mqtt client doesn't offer the option. I'm working on the solution to make it easier for users to set options to the transport in use.

One possible work around is to use the custom transport in the mqtt client.
The steps would be:

  • create a ssl transport using esp_transport_ssl_init
  • set all the required options using the esp_transport API
  • Pass the transport configured as an option to esp_mqtt_client_init through the configuration field network.transport.

Other alternative would be to set only TLS 1.3 in menuconfig in the mbedTLS options, disabling TLS 1.2.

@espressif-bot espressif-bot added Status: Reviewing Issue is being reviewed and removed Status: In Progress Work is in progress labels Jun 18, 2024
@robbinlu-ayla
Copy link
Author

robbinlu-ayla commented Jun 28, 2024
edited
Loading

Hi @euripedesrocha,
I tried enable TLS 1.3 and disable TLS 1.2 in menuconfig, then build the ssl example, but got an error, could you try it and give us a solution how to enable TLS 1.3?
[ ] Support TLS 1.2 protocol
[*] Support TLS 1.3 protocol

----------Error Log---------
/Users/robbin/work/modul32/bc/build/pkg/ada-esp-idf/espressif/components/esp-tls/esp_tls_mbedtls.c: In function 'set_client_config':
/Users/robbin/work/modul32/bc/build/pkg/ada-esp-idf/espressif/components/esp-tls/esp_tls_mbedtls.c:722:5: error: implicit declaration of function 'mbedtls_ssl_conf_renegotiation'; did you mean 'mbedtls_ssl_conf_legacy_renegotiation'? [-Werror=implicit-function-declaration]
722 | mbedtls_ssl_conf_renegotiation(&tls->conf, MBEDTLS_SSL_RENEGOTIATION_ENABLED);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| mbedtls_ssl_conf_legacy_renegotiation

@euripedesrocha
Copy link
Collaborator

Hi @robbinlu-ayla,
I'll check the build error but we recently merged to mqtt client the solution to apply different settings to ssl layer of mqtt client.
Please check it by taking the latest master for mqtt client and change your event handler to something like:

static void mqtt_event_handler(void *handler_args, esp_event_base_t base,
                               int32_t event_id, void *event_data) {
  ESP_LOGD(TAG, "Event dispatched from event loop base=%s, event_id=%" PRIi32,
           base, event_id);
  esp_mqtt_event_handle_t event = event_data;
  esp_mqtt_client_handle_t client = event->client;
  int msg_id;
  esp_transport_handle_t transport = NULL;
  switch ((esp_mqtt_event_id_t)event_id) {
  case MQTT_EVENT_BEFORE_CONNECT:
    ESP_LOGI(TAG, "MQTT_EVENT_BEFORE_CONNECT");
    transport = esp_mqtt_client_get_transport(client, MQTT_OVER_SSL_SCHEME);
    esp_transport_ssl_set_tls_version(transport, ESP_TLS_VER_TLS_1_3);
    break;
...

Our choice was to made the transport available for extra settings by adding the get function. Just be aware that the function is suposed to be called from the event handler for MQTT_EVENT_BEFORE_CONNECT.

@robbinlu-ayla
Copy link
Author

Hi @euripedesrocha,
Thanks your reply. We didn't use components/mqtt in our project.
We will update and test after get your fix code.

@euripedesrocha
Copy link
Collaborator

@robbinlu-ayla didn't understand your comment about not using components/mqtt.

About the compilation issue setting only TLS 1.3, below are the settings to disable TLS v1.2:

CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y
CONFIG_MBEDTLS_SSL_RENEGOTIATION=n
CONFIG_MBEDTLS_SSL_PROTO_TLS1_2=n
CONFIG_ESP_WIFI_MBEDTLS_TLS_CLIENT=n

@robbinlu-ayla
Copy link
Author

@euripedesrocha
I set these config items in sdkconfig, rebuilt project, flashed app bin into ESP32 DevKit, the app cannot connected with our cloud server. The TLS1.3 still doesn't work.
CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y
CONFIG_MBEDTLS_SSL_RENEGOTIATION=n
CONFIG_MBEDTLS_SSL_PROTO_TLS1_2=n
CONFIG_ESP_WIFI_MBEDTLS_TLS_CLIENT=n

Which esp-idf version could support TLS1.3?

@euripedesrocha
Copy link
Collaborator

Hi @robbinlu-ayla,
using IDF 5.2.1 and the settings I shared you should be able to use TLS 1.3

If you follow the path of creating a transport and passing it to mqtt client after setting the required configuration, it should work.

If you use the latest master from mqtt client, we still need to move it to IDF and backport to older versions, you will be able to use the code presented here

Could you share the errors you are facing, so I can try to help you?

@robbinlu-ayla
Copy link
Author

We are using IDF 5.2.1, using the below config,
CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y
CONFIG_MBEDTLS_SSL_RENEGOTIATION=n
CONFIG_MBEDTLS_SSL_PROTO_TLS1_2=n
CONFIG_ESP_WIFI_MBEDTLS_TLS_CLIENT=n

And we didn't use esp mqtt client components, we wrote a mqtt client(based components/mbedtls), our mqtt client cannot connect with our cloud with TLS1.3.

@euripedesrocha
Copy link
Collaborator

@robbinlu-ayla I'm a bit confused here, since the issue is regarding one of the examples from idf that uses the mqtt client.

I need you to share the logs with the errors that you are facing, so I can try to identify potential misconfiguration from your side.

@hawkhan
Copy link

hawkhan commented Sep 18, 2024
edited
Loading

We use socket to connect to the service on the port 443, after the connection is established, it uses mbedtls_ssl_setup to setup the context for the TLS handshaking, and then use mbedtls_ssl_handshake to handshake. According to your mentioned, I think that you want us to specified TLS 1.3 in the SSL context? I have two questions,

  1. How to specified TLS version by mbedtls API?
  2. If the service only supports TLS 1.2, does it will fall back to TLS 1.2 if I specified TLS 1.3?

Current, the code based a tagged commit of IDF 5.2.1.

@euripedesrocha
Copy link
Collaborator

Hi @hawkhan / @robbinlu-ayla
For usage of the mbedtls API directly you can refer to this exmple.
The TLS version in use decision will be part of the TLS negotiation between client and server, so if you have both set and there is only TLS 1.2 in one of the sides that will be selected.
If there is a decision to use only TLS 1.3, you can use mbedtls_ssl_conf_min_tls_version to set it as the minimum.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Reviewing Issue is being reviewed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@euripedesrocha @hawkhan @robbinlu-ayla @espressif-bot