mirrors
/
Tasmota
mirror of https://github.com/arendst/Tasmota.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated TLS (markdown)

s-hadinger 2019-06-22 11:38:44 +02:00
parent 231bca7d9d
commit 864fad72fc
1 changed files with 71 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
TLS.md

@ -46,6 +46,77 @@ The main limitations are:
- The server certificate must have an RSA private key (max 2048 bits) and the certificate must be signed with RSA and SHA256 hash. This is the case with default Letsencrypt certificates.
- Your SSL/TLS should support TLS 1.2 MFLN to limit buffer to 1024 bytes. If MFLN is not supported, it will still work well as long as the server does not send any message above 1024 bytes (which should be ok, since Tasmota cannot parse MQTT messages above 1024 bytes)
-----------
## Implementation notes
To be completed...
### Memory usage
TLS on Tasmota has been aggresively optimised to use as little memory (heap) as possible. It was also optimized to limit code size.
Memory consumption (nominal):
* BearSSL lib: **1424 bytes** (or 1024 bytes with letsencrypt or regular TLS)
* BearSSL ClientContext: **3440 bytes**
* Buffers (1024 bytes in + 1024 bytes out + overhead): **2528 bytes**
* **Total = 7.4k** (or 7.0k with letsencrypt or regular TLS)
Note: if you use USE_WEBSERVER, your impact is lowered by 2k since the Web log buffer is reduced from 4k to 2k. Overall when activating USE_WEBSERVER, you just see a memory impact of 5.4k.
Memory needed during connection (TLS handshake - fingerprint validation):
* ThunkStack = **5308 bytes** (or **3608 bytes** with letsencrypt or regular TLS)
* DecoderContext = **1152 bytes**
* **Total for connection = 6.5k** (or **4.8k** with letsencrypt or regular TLS)
Memory needed during connection (TLS handshake - full CA validation):
* ThunkStack = **5308 bytes** (or **3608 bytes** with letsencrypt or regular TLS)
* DecoderContext = **3072 bytes**
* **Total for connection = 8.4k** (or **6.7k** with letsencrypt or regular TLS)
### Connection Time
ESP8266 is quite slow compared to modern processors when it comes to SSL handshake. Here are the observed performance to connect to an SSL/TLS server, depending on frequency (80MHz or 160MHz):
AWS IoT Connection, with EC Private Key, simple fingerprint validation:
* **0.7s** at 160MHz
* **1.3s** at 80 MHz
AWS IoT Connection, with EC Private Key, full CA validation (easier to configure than fingerprints):
* **1.0s** at 160MHz
* **1.8s** at 80 MHz
Letsencrypt based server (Mosquitto for ex), simple fingerprint validation:
* **0.3s** at 160MHz
* **0.4s** at 80MHz
Letsencrypt based server (Mosquitto for ex), with full CA validation (easier to configure than fingerprint):
* **0.4s** at 160MHz
* **0.7s** at 80MHz
### TLS Troubleshooting
Here are the common TLS error:
Error code | Description
:--- | :---
| -1002 | Cannot connect to TCP port |
| -1000 | Out of memory error |
| 1 | Bad fingerprint |
| 62 | X509 not trusted, the server certificate is not signed by the CA (AWS IoT or Letsencrypt) |
| 298 | missing client private key |
-----------
### Below are the instructions of pre-6.5.0.15 versions.
Before v 6.5.0.15: to the value you're getting from the mosquitto server. To get the fingerprint you can use the following command on your MQTT server: