TLS support

2026-02-04 18:00:22 +02:00
parent 5a22f36ebf
commit 3ff92ea801
4 changed files with 87 additions and 8 deletions
--- a/README.md
+++ b/README.md
@@ -198,6 +198,67 @@ void command_processing_example(void) {
 }
 ```

+### TLS/SSL with Certificate Authentication
+
+For secure MQTT connections (mqtts://), you can provide a CA certificate for server verification:
+
+```c
+#include "mqtt_manager.h"
+
+// Embedded CA certificate - from your src/certs/ca.crt file
+extern const uint8_t ca_crt_start[] asm("_binary_ca_crt_start");
+
+void secure_mqtt_example(void) {
+    mqtt_config_t config = {
+        .broker_url = "mqtts://mqtt.example.com",
+        .broker_port = 8883,
+        .client_id = "secure_device_01",
+        .username = "device_user",
+        .password = "secure_password",
+        .ca_cert_pem = (const char *)ca_crt_start,  // Embedded CA certificate
+        .keepalive = 60,
+        .network_timeout_ms = 10000
+    };
+
+    mqtt_manager_init(&config, mqtt_callback);
+    mqtt_manager_start();
+}
+```
+
+#### Embedding Certificates in Firmware
+
+To embed a CA certificate in your firmware:
+
+1. **Place certificate file:**
+
+   ```
+   src/certs/ca.crt
+   ```
+
+2. **Update src/CMakeLists.txt:**
+
+   ```cmake
+   idf_component_register(
+       SRCS ${app_sources}
+       EMBED_TXTFILES "certs/ca.crt"
+   )
+   ```
+
+3. **Reference in your code:**
+
+   ```c
+   extern const uint8_t ca_crt_start[] asm("_binary_ca_crt_start");
+   extern const uint8_t ca_crt_end[] asm("_binary_ca_crt_end");
+
+   // Use in config
+   mqtt_config_t config = {
+       .ca_cert_pem = (const char *)ca_crt_start,
+       // ... other config
+   };
+   ```
+
+The symbol name format is `_binary_<filename_no_path>_start` and `_binary_<filename_no_path>_end` where slashes are converted to underscores.
+
 ## 📚 API Reference

 ### Data Types
@@ -224,6 +285,7 @@ typedef struct {
    const char *client_id;      // Unique client identifier
    const char *username;       // Username (can be NULL if not required)
    const char *password;       // Password (can be NULL if not required)
+    const char *ca_cert_pem;    // CA certificate in PEM format (NULL to disable TLS verification)
    int keepalive;              // Keepalive interval in seconds (0 for default)
    int network_timeout_ms;     // Network timeout in milliseconds (0 for default)
 } mqtt_config_t;
@@ -235,6 +297,7 @@ typedef struct {
 - `broker_port`: Standard ports: 1883 (mqtt), 8883 (mqtts), 80 (ws), 443 (wss)
 - `client_id`: Must be unique across all clients connecting to the broker
 - `username`/`password`: Authentication credentials (set to NULL if not needed)
+- `ca_cert_pem`: PEM-formatted CA certificate for TLS/SSL verification (set to NULL to skip verification, or provide embedded certificate from firmware)
 - `keepalive`: Heartbeat interval (recommended: 60-300 seconds)
 - `network_timeout_ms`: Socket timeout (recommended: 5000-30000ms)