mirror of https://github.com/arendst/Tasmota.git
Updated Securing your IoT from hacking (org)
parent
d3e78e08ec
commit
7d1aac28cb
|
@ -122,55 +122,5 @@ How to generate the certificates in mosquitto please look at:
|
|||
+ [[http://lukse.lt/uzrasai/2015-02-internet-of-things-messaging-mqtt-1-installing-mosquitto-server/][Internet of Things messaging MQTT with TLS]]
|
||||
+ [[https://mcuoneclipse.com/2017/04/14/enable-secure-communication-with-tls-and-the-mosquitto-broker/][Enable Secure Communication with TLS and the Mosquitto Broker]]
|
||||
|
||||
*** As of version 6.5.0.15, there are major changes to TLS to make it lighter in memory and easier to use. There are breaking changes in the way Fingerprints are calculated, read below.
|
||||
|
||||
At the TASMOTA configuration, you need to enable to use the TLS Version. This is done by enable USE_MQTT_TLS and change the port number to 8883. Additionally, you should change the MQTT_FINGERPRINT.
|
||||
|
||||
The fingerprint is now calculated over the server's Public Key and no more its Certificate. The good news is that Public Key tend to change far less often than certificates, i.e. Letscencrypt triggers a certificate renewal every 3 months, the Public Key fingerprint will not change after a certificate renewal. The bad news is that there is no simple command to retrieve the server's Public Key fingerprint.
|
||||
|
||||
So to simplify your task, we have added two more options: 1/ auto-learn of fingerprint, 2/ disabling all-together the fingerprint validation.
|
||||
|
||||
*Option 1*: Fingerprint auto-learn. If set, Tasmota will automatically learn the fingerprint during the first connection and will set the Fingerprint settings to the targer fingerprint. To do so, use one of the following commands:
|
||||
|
||||
#+BEGIN_EXAMPLE
|
||||
MqttFingerprint1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
#+END_EXAMPLE
|
||||
or
|
||||
#+BEGIN_EXAMPLE
|
||||
MqttFingerprint2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
#+END_EXAMPLE
|
||||
|
||||
*Option 2*: Disable Fingerpring. You can completely disable server fingerprint validation, which means that Tasmota will not check the server's identity. It means that your traffic can possibly be intercepted and read/changed. This should be used only on trusted networks, i.e. with an MQTT on your local network. YOU HAVE BEEN WARNED!
|
||||
|
||||
To do so, set one of the Fingerprints to all 0xFF:
|
||||
#+BEGIN_EXAMPLE
|
||||
MqttFingerprint2 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
|
||||
#+END_EXAMPLE
|
||||
|
||||
*** Limitations:
|
||||
Starting with 6.5.0.15, AxTLS has been replaced with [[https://bearssl.org/][BearSSL]]. This allows a much lighter use of memory - typically 6.0k constantly, and an additional 6.8k during TLS connection. This makes TLS now compatible with Web and Hue/Wemo emulation.
|
||||
|
||||
The main limitations are:
|
||||
- Your SSL/TLS server must support the TLS 1.2 and the ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher - which is the case with default Mosquitto configuration
|
||||
- The server certificate must have an RSA private key (max 2048 bits) and the certificate must be signed with RSA and SHA256 hash. This is the case with default Letsencrypt certificates.
|
||||
- Your SSL/TLS should support TLS 1.2 MFLN to limit buffer to 1024 bytes. If MFLN is not supported, it will still work well as long as the server does not send any message above 1024 bytes (which should be ok, since Tasmota cannot parse MQTT messages above 1024 bytes)
|
||||
|
||||
*** Below are the instructions of pre-6.5.0.15 versions.
|
||||
|
||||
Before v 6.5.0.15: to the value you're getting from the mosquitto server. To get the fingerprint you can use the following command on your MQTT server:
|
||||
|
||||
#+BEGIN_EXAMPLE
|
||||
openssl s_client -connect localhost:8883 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
|
||||
#+END_EXAMPLE
|
||||
|
||||
*Note:* The openssl output will most likely be a Colon separated fingerprint
|
||||
#+BEGIN_EXAMPLE
|
||||
A5:02:FF:13:99:9F:8B:39:8E:F1:83:4F:11:23:65:0B:32:36:FC:07
|
||||
#+END_EXAMPLE
|
||||
|
||||
Tasmota requires the fingerprint expressed as 20 space separated bytes
|
||||
#+BEGIN_EXAMPLE
|
||||
A5 02 FF 13 99 9F 8B 39 8E F1 83 4F 11 23 65 0B 32 36 FC 07
|
||||
#+END_EXAMPLE
|
||||
|
||||
Note that when you create your certificate, you should make sure to set the CN field to the value of MQTT_HOST. Setting your CN to a domain name but your MQTT_HOST to an IP address will cause the signature verification on the sonoff to fail.
|
||||
** Tasmota detailed TLS configuration moved is now here: [[../TLS][SSL/TLS on Tasmota]]
|
Loading…
Reference in New Issue