TLS support

2026-02-04 18:00:22 +02:00
parent 5a22f36ebf
commit 3ff92ea801
4 changed files with 87 additions and 8 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

-## [v1.0.0] - 2024-12-30
+## [v1.1.0] - 2026-02-03
+
+### Add
+
+- TLS support
+
+### Added
+
+- Repository
+
+## [v1.0.0] - 2025-12-30

 ### Added

--- a/README.md
+++ b/README.md
@@ -198,6 +198,67 @@ void command_processing_example(void) {
 }
 ```

+### TLS/SSL with Certificate Authentication
+
+For secure MQTT connections (mqtts://), you can provide a CA certificate for server verification:
+
+```c
+#include "mqtt_manager.h"
+
+// Embedded CA certificate - from your src/certs/ca.crt file
+extern const uint8_t ca_crt_start[] asm("_binary_ca_crt_start");
+
+void secure_mqtt_example(void) {
+    mqtt_config_t config = {
+        .broker_url = "mqtts://mqtt.example.com",
+        .broker_port = 8883,
+        .client_id = "secure_device_01",
+        .username = "device_user",
+        .password = "secure_password",
+        .ca_cert_pem = (const char *)ca_crt_start,  // Embedded CA certificate
+        .keepalive = 60,
+        .network_timeout_ms = 10000
+    };
+
+    mqtt_manager_init(&config, mqtt_callback);
+    mqtt_manager_start();
+}
+```
+
+#### Embedding Certificates in Firmware
+
+To embed a CA certificate in your firmware:
+
+1. **Place certificate file:**
+
+   ```
+   src/certs/ca.crt
+   ```
+
+2. **Update src/CMakeLists.txt:**
+
+   ```cmake
+   idf_component_register(
+       SRCS ${app_sources}
+       EMBED_TXTFILES "certs/ca.crt"
+   )
+   ```
+
+3. **Reference in your code:**
+
+   ```c
+   extern const uint8_t ca_crt_start[] asm("_binary_ca_crt_start");
+   extern const uint8_t ca_crt_end[] asm("_binary_ca_crt_end");
+
+   // Use in config
+   mqtt_config_t config = {
+       .ca_cert_pem = (const char *)ca_crt_start,
+       // ... other config
+   };
+   ```
+
+The symbol name format is `_binary_<filename_no_path>_start` and `_binary_<filename_no_path>_end` where slashes are converted to underscores.
+
 ## 📚 API Reference

 ### Data Types
@@ -224,6 +285,7 @@ typedef struct {
    const char *client_id;      // Unique client identifier
    const char *username;       // Username (can be NULL if not required)
    const char *password;       // Password (can be NULL if not required)
+    const char *ca_cert_pem;    // CA certificate in PEM format (NULL to disable TLS verification)
    int keepalive;              // Keepalive interval in seconds (0 for default)
    int network_timeout_ms;     // Network timeout in milliseconds (0 for default)
 } mqtt_config_t;
@@ -235,6 +297,7 @@ typedef struct {
 - `broker_port`: Standard ports: 1883 (mqtt), 8883 (mqtts), 80 (ws), 443 (wss)
 - `client_id`: Must be unique across all clients connecting to the broker
 - `username`/`password`: Authentication credentials (set to NULL if not needed)
+- `ca_cert_pem`: PEM-formatted CA certificate for TLS/SSL verification (set to NULL to skip verification, or provide embedded certificate from firmware)
 - `keepalive`: Heartbeat interval (recommended: 60-300 seconds)
 - `network_timeout_ms`: Socket timeout (recommended: 5000-30000ms)

--- a/mqtt_manager.c
+++ b/mqtt_manager.c
@@ -146,6 +146,11 @@ esp_err_t mqtt_manager_init(const mqtt_config_t *config, mqtt_event_callback_t e
        mqtt_cfg.credentials.authentication.password = config->password;
    }

+    if (config->ca_cert_pem && strlen(config->ca_cert_pem) > 0)
+    {
+        mqtt_cfg.broker.verification.certificate = config->ca_cert_pem;
+    }
+
    // Initialize MQTT client
    mqtt_client = esp_mqtt_client_init(&mqtt_cfg);
    if (mqtt_client == NULL)
--- a/mqtt_manager.h
+++ b/mqtt_manager.h
@@ -25,13 +25,14 @@ extern "C"
     */
    typedef struct
    {
-        const char *broker_url; /**< MQTT broker URL (e.g., "mqtt://192.168.1.100") */
-        int broker_port;        /**< MQTT broker port (usually 1883 for non-secure) */
-        const char *client_id;  /**< Unique client identifier */
-        const char *username;   /**< Username (can be NULL if not required) */
-        const char *password;   /**< Password (can be NULL if not required) */
-        int keepalive;          /**< Keepalive interval in seconds (0 for default) */
-        int network_timeout_ms; /**< Network timeout in milliseconds (0 for default) */
+        const char *broker_url;  /**< MQTT broker URL (e.g., "mqtt://192.168.1.100") */
+        int broker_port;         /**< MQTT broker port (usually 1883 for non-secure) */
+        const char *client_id;   /**< Unique client identifier */
+        const char *username;    /**< Username (can be NULL if not required) */
+        const char *password;    /**< Password (can be NULL if not required) */
+        const char *ca_cert_pem; /**< CA certificate in PEM format (NULL to disable TLS verification) */
+        int keepalive;           /**< Keepalive interval in seconds (0 for default) */
+        int network_timeout_ms;  /**< Network timeout in milliseconds (0 for default) */
    } mqtt_config_t;

    /**