From 3ff92ea8015984dbcc1b690b59e1c54dea811528 Mon Sep 17 00:00:00 2001 From: Andrey Aleksandrov Date: Wed, 4 Feb 2026 18:00:22 +0200 Subject: [PATCH] TLS support --- CHANGELOG.md | 12 +++++++++- README.md | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++ mqtt_manager.c | 5 ++++ mqtt_manager.h | 15 ++++++------ 4 files changed, 87 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8625ef8..268737c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,17 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## [v1.0.0] - 2024-12-30 +## [v1.1.0] - 2026-02-03 + +### Add + +- TLS support + +### Added + +- Repository + +## [v1.0.0] - 2025-12-30 ### Added diff --git a/README.md b/README.md index 59e629f..d25136c 100644 --- a/README.md +++ b/README.md @@ -198,6 +198,67 @@ void command_processing_example(void) { } ``` +### TLS/SSL with Certificate Authentication + +For secure MQTT connections (mqtts://), you can provide a CA certificate for server verification: + +```c +#include "mqtt_manager.h" + +// Embedded CA certificate - from your src/certs/ca.crt file +extern const uint8_t ca_crt_start[] asm("_binary_ca_crt_start"); + +void secure_mqtt_example(void) { + mqtt_config_t config = { + .broker_url = "mqtts://mqtt.example.com", + .broker_port = 8883, + .client_id = "secure_device_01", + .username = "device_user", + .password = "secure_password", + .ca_cert_pem = (const char *)ca_crt_start, // Embedded CA certificate + .keepalive = 60, + .network_timeout_ms = 10000 + }; + + mqtt_manager_init(&config, mqtt_callback); + mqtt_manager_start(); +} +``` + +#### Embedding Certificates in Firmware + +To embed a CA certificate in your firmware: + +1. **Place certificate file:** + + ``` + src/certs/ca.crt + ``` + +2. **Update src/CMakeLists.txt:** + + ```cmake + idf_component_register( + SRCS ${app_sources} + EMBED_TXTFILES "certs/ca.crt" + ) + ``` + +3. **Reference in your code:** + + ```c + extern const uint8_t ca_crt_start[] asm("_binary_ca_crt_start"); + extern const uint8_t ca_crt_end[] asm("_binary_ca_crt_end"); + + // Use in config + mqtt_config_t config = { + .ca_cert_pem = (const char *)ca_crt_start, + // ... other config + }; + ``` + +The symbol name format is `_binary__start` and `_binary__end` where slashes are converted to underscores. + ## 📚 API Reference ### Data Types @@ -224,6 +285,7 @@ typedef struct { const char *client_id; // Unique client identifier const char *username; // Username (can be NULL if not required) const char *password; // Password (can be NULL if not required) + const char *ca_cert_pem; // CA certificate in PEM format (NULL to disable TLS verification) int keepalive; // Keepalive interval in seconds (0 for default) int network_timeout_ms; // Network timeout in milliseconds (0 for default) } mqtt_config_t; @@ -235,6 +297,7 @@ typedef struct { - `broker_port`: Standard ports: 1883 (mqtt), 8883 (mqtts), 80 (ws), 443 (wss) - `client_id`: Must be unique across all clients connecting to the broker - `username`/`password`: Authentication credentials (set to NULL if not needed) +- `ca_cert_pem`: PEM-formatted CA certificate for TLS/SSL verification (set to NULL to skip verification, or provide embedded certificate from firmware) - `keepalive`: Heartbeat interval (recommended: 60-300 seconds) - `network_timeout_ms`: Socket timeout (recommended: 5000-30000ms) diff --git a/mqtt_manager.c b/mqtt_manager.c index 3652c7f..a1f7927 100644 --- a/mqtt_manager.c +++ b/mqtt_manager.c @@ -146,6 +146,11 @@ esp_err_t mqtt_manager_init(const mqtt_config_t *config, mqtt_event_callback_t e mqtt_cfg.credentials.authentication.password = config->password; } + if (config->ca_cert_pem && strlen(config->ca_cert_pem) > 0) + { + mqtt_cfg.broker.verification.certificate = config->ca_cert_pem; + } + // Initialize MQTT client mqtt_client = esp_mqtt_client_init(&mqtt_cfg); if (mqtt_client == NULL) diff --git a/mqtt_manager.h b/mqtt_manager.h index 51b658f..e7a9d6a 100644 --- a/mqtt_manager.h +++ b/mqtt_manager.h @@ -25,13 +25,14 @@ extern "C" */ typedef struct { - const char *broker_url; /**< MQTT broker URL (e.g., "mqtt://192.168.1.100") */ - int broker_port; /**< MQTT broker port (usually 1883 for non-secure) */ - const char *client_id; /**< Unique client identifier */ - const char *username; /**< Username (can be NULL if not required) */ - const char *password; /**< Password (can be NULL if not required) */ - int keepalive; /**< Keepalive interval in seconds (0 for default) */ - int network_timeout_ms; /**< Network timeout in milliseconds (0 for default) */ + const char *broker_url; /**< MQTT broker URL (e.g., "mqtt://192.168.1.100") */ + int broker_port; /**< MQTT broker port (usually 1883 for non-secure) */ + const char *client_id; /**< Unique client identifier */ + const char *username; /**< Username (can be NULL if not required) */ + const char *password; /**< Password (can be NULL if not required) */ + const char *ca_cert_pem; /**< CA certificate in PEM format (NULL to disable TLS verification) */ + int keepalive; /**< Keepalive interval in seconds (0 for default) */ + int network_timeout_ms; /**< Network timeout in milliseconds (0 for default) */ } mqtt_config_t; /**