Chat freely about anything...
User avatar
By androidfanboy
#72332 Hi there,

I am using a NodeMCU (ESP-12) and I'm trying to get the following code to work using the HTTPClient library:

Code: Select all#include <ESP8266WiFi.h>
#include <ESP8266HTTPClient.h>

const char* ssid = "........";
const char* password = "........";
String deviceID = "testing123abcxyz";

void setup() {
  Serial.begin(115200);
  Serial.println();
  Serial.print("Connecting to ");
  Serial.println(ssid);
  WiFi.begin(ssid, password);
  while (WiFi.status() != WL_CONNECTED) {
    delay(500);
    Serial.print(".");
  }
  Serial.println("");
  Serial.println("WiFi connected");
  Serial.println("IP address: ");
  Serial.println(WiFi.localIP());
 
  // Post data to dweet.io
  HTTPClient http;
  String URL = "http://dweet.io/dweet/for/" + deviceID + "?foo=bar&test=123"; // Works with HTTP
  http.begin(URL); // Works with HTTP
 
  int httpCode = http.GET();
  if (httpCode > 0) {
    String payload = http.getString();
    Serial.println(payload); // Print response
  }
 
  http.end();
}

void loop() {
  // Nothing here
}


If I change line 25 to "https://" instead of "http://" then it doesn't work. I know that this library can work with HTTPS with a fingerprint, but what if I don't have one? I also tried "http.begin(URL, "");" to pass an empty fingerprint parameter in the function but that obviously didn't work either.

Thanks!
User avatar
By dragondaud
#72401 I posted an example sketch recently that shows how to use SSL without checking certificate validity. My issue was that every time I connect to google api servers there is a different fingerprint, and they require usage of SSL. I used pull request 2821 on the github version of arduino esp8266 to add the option to disregard the tls verification.

You can easily obtain the fingerprint from a server using:
openssl s_client -connect http://www.server.com:443 | openssl x509 -fingerprint -noout

But that doesn't help if it changes frequently. And the overhead for chain verification is very high, hardly worth it for trivial data from an IoT device. Passing credentials through an unverified connection is not recommended, but using an API key to post data is hardly a security risk.