Chat freely about anything...

User avatar
By Tobias Rahloff
#40138 Many sources state that the esp8266 comes with TLS 1.2 support. However, some rejected handshakes from a MQTT broker indicated that the TLS implementation is wrong in some way.
After a colleague of mine set up some test stands, doing several days of testing and analysing the results he comes to the conclusion that the NodeMCU speaks TLS 1.1. Let me show you the results:

This is the NodeMCU client hello:

0000 16 03 02 00 33 01 00 00 2f 03 02 00 00 00 00 d0
0010 b1 a1 3a 07 1c 1b 3e f2 fc 03 91 d6 18 b5 ae 5d
0020 77 65 37 f5 07 10 45 d1 7e 1a ea 00 00 08 00 2f
0030 00 35 00 05 00 04 01 00

The parsing of that:

16 - SSL3_RT_HANDSHAKE (Is this right - ie a common SSL3 and TLS byte here?)
03 02 - version : 3.2
00 33 - length of record excluding 5 bytes of header
01 - SSL3_MT_CLIENT_HELLO
00 00 2f - length of the following data
03 02 - TLS v1.1
00 00 00 00 d0 b1 a1 3a 07 1c 1b 3e f2 fc 03 91d6 //-- ?.... - Random 16 bytes

A proper TLS 1.2 client hello looks like this:

0000 16 03 01 00 7e 01 00 00 7a 03 03 56 ab 8e f3 59
0010 bb 39 71 b4 9f d1 4c bc 39 f3 37 ca 8c bc f8 f4
0020 d8 6f 40 4b cf a9 a4 48 62 c1 70 00 00 10 00 9c
0030 c0 2f c0 2b 00 a2 00 9e c0 31 c0 2d 00 ff 01 00
0040 00 41 00 0b 00 04 03 00 01 02 00 0a 00 08 00 06
0050 00 19 00 18 00 17 00 23 00 00 00 0d 00 20 00 1e
0060 06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02
0070 04 03 03 01 03 02 03 03 02 01 02 02 02 03 00 0f
0080 00 01 01
(This packet was captured from a browser connecting to the same test stand with TLS 1.2)

After enabling TLS 1.1 on the test stand the NodeMCU could publish without any problems.
This is based on reading the rfcs for tls 1.1 and 1.2.

The problem occurred with the NodeMCU firmware but because it's based on the Espressif SDK 1.4 I guess it's some implementation problem in said SDK.

Did I miss something or does the esp8266 in fact not support TLS 1.2?
User avatar
By ncnmra
#40285 I'm very interested in this tread (sorry, I don't have an answer for you). Are you using the RTOS version of the SDK or the AT version? What is your development environment, and would you share your test code?

It seems that Espressif has made some enhancements to both in regards to SSL:

http://espressif.com/new-sdk-release/

Code: Select allESP8266_NONOS_SDK_V1.5.1_16_01_08
* Optimize SSL shakehand.


Code: Select allESP32_RTOS_SDK_V1.1.0_15_12_21
* Support SSL, software encrypt.
User avatar
By chaeplin
#40297 http://bbs.espressif.com/viewtopic.php? ... =TLS#p5522


Re: SSL Authentication to AWS IOT Service
Postby Espressif_Faye » Mon Jan 25, 2016 6:58 pm

Hi,

Yes, ESP8266 does not support TLS 1.2 now.
Are you trying to connect "A1QQ280DDHPJDD.iot.us-east-1.amazonaws.com" ? It seems to be TLS 1.2 which ESP8266 does not support now.
In your log, it is the server send an ALERT packet after ESP8266 sent SSL_CLIENT_HELLO packet.
ESP8266 can connect to https://aws.amazon.com but fail to connect to the IOT server. Or you can try to check the difference between these servers.