RPC Security with mTLS

Is it possible to use something like mutual TLS, for HTTPS or WebSocket(secure), in order to encrypt connection between client and server when using RPC? If yes, is there any example on how to do that? Thanks to everyone and sorry for my bad english.

«13

Comments

  • SergeySergey Dublin, Ireland

    Hi Daniele,
    Please make sure you don't mix two things: encryption and authentication.
    Mutual TLS usually mentioned about authentication.

    Anyway, I am assuming correctly that you'd like to run a device as HTTP/Websocket server and call RPC services on it? Could you share a bit more on your architecture?

  • Yes @"Sergey Lyubka", shouldn't mTLS also enable authentication? Anyway my architecture is esp8266, and yes, you're perfectly right, I want to use it as a HTTP/WS server and also use RPC services, but denying access to unwanted people on the same network.

  • SergeySergey Dublin, Ireland

    Sure.

    See HTTP settings:

    ~$ mos config-get http
    {
      "enable": true,
      "hidden_files": "",
      "listen_addr": "80",
      "ssl_ca_cert": "",
      "ssl_cert": "",
      "ssl_key": "",
      "tunnel": {
        "addr": "mongoose.link",
        "enable": false
      },
      "upload_acl": "*"
    }
    

    There are TLS settings, starting from ssl_ prefix. Upload the cert and a key file you'd like to use. Upload ssl_ca_cert if you want mutual TLS. Use mos put command to upload stuff. Once done, you should be set. Please let me know how it goes.

  • Thanks! I will try that tomorrow and let you know if I run into problems. ssl_ca_cert will be used to trust, or not, client certificates, am I right? and also, would that also affect websockets?
  • SergeySergey Dublin, Ireland

    a) correct, b) correct

  • What types of certificates/private keys are supported, can I use openssl to generate them? Can I use any number of bits? Thanks

  • SergeySergey Dublin, Ireland

    You can use openssl. As usual, RSA/EC can be used. The more bits you use, the slower it'll be to establish a connection. What boards do you use?

  • I'm using an esp8266

  • SergeySergey Dublin, Ireland

    ESP8266 can be quite slow on incoming connections. Depending on the key size, algo, etc you can get connection time up to half a minute.

  • iH8c0ff33iH8c0ff33 Italy
    edited February 9

    I need to send data nearly 40times a second, using a websocket, would that also affect transfer speed, or is it only related to connection? What do you suggest me to use for such an application? Thanks for all the help

  • SergeySergey Dublin, Ireland

    Once the connection is established, it's OK. We see visible slowness during connection establishment.
    40 RPS is relatively high .. What you're doing?

  • I will keep a websocket connection opened 24/7 if that's possible. I need to send events from a cosmic ray detector to a local server that stores this data. I don't think saving data in esp8266 temporarily and push them every minute, or maybe more, is good since there's only the flash memory's SPIFFS, and I think the esp8266 wouldn't be really fast in parsing files of this kind (I need to save a timestamp and event type for each event)

  • SergeySergey Dublin, Ireland

    Yeah, spooling to SPIFFS is not a good idea.
    What's the size of the message? Maybe spooling to RAM is feasible.
    Anyhow, try to push to Websocket without any spooling, that's the best way IMO and ESP8266 should be able to keep up. Websocket has a very low overhead.

    Why you're using a server? Aim to have browsers connected to the ESP8266?
    Note that in this case, ESP8266 would need to fan out to many endpoints.

    I'd set up a WS server and push from ESP8266 to it. Using WS or MQTT, does not matter. Then, an external server could fan out to many other consumers.

  • iH8c0ff33iH8c0ff33 Italy
    edited February 9

    No, I don't want to use esp8266 as a webserver, I just want mTLS to secure connections to RPC (over HTTP and WS) and to the server. Yes I would send the data pushing them into a websocket connection to a server in the local network.

  • SergeySergey Dublin, Ireland

    Sounds good.
    Let us know how your TLS setup goes.

  • I will keep you updated, I'm now reading how to use openssl and create a CA

  • Oh I forgot a thing, how can i use the certificate from the mos tool?

  • iH8c0ff33iH8c0ff33 Italy
    edited February 9

    I also get this error:

    mgos_sys_config_init Error binding to [80]
    esp_mgos_init        MG init error: -14
    esp_mg_init_timer_cb Init failed: -14
    
  • SergeySergey Dublin, Ireland
    1. mos respects --cert-file and --key-file options
    2. there is a system server running on port 80 already. Either disable it, or, better, use it rather than starting your own.
  • @Sergey Lyubka said:
    Sure.

    See HTTP settings:

    ~$ mos config-get http
    {
      "enable": true,
      "hidden_files": "",
      "listen_addr": "80",
      "ssl_ca_cert": "",
      "ssl_cert": "",
      "ssl_key": "",
      "tunnel": {
        "addr": "mongoose.link",
        "enable": false
      },
      "upload_acl": "*"
    }
    

    There are TLS settings, starting from ssl_ prefix. Upload the cert and a key file you'd like to use. Upload ssl_ca_cert if you want mutual TLS. Use mos put command to upload stuff. Once done, you should be set. Please let me know how it goes.

    I didn't start another server, I just uploaded certs changed config as following: http.ssl_ca_cert=ca.crt.pem http.ssl_cert=server.crt.pem http.ssl_key=server.key.pem

  • SergeySergey Dublin, Ireland

    ok, show your http config please

  • The config is the default one:

    {
      "enable": true,
      "hidden_files": "",
      "listen_addr": "80",
      "ssl_ca_cert": "",
      "ssl_cert": "",
      "ssl_key": "",
      "tunnel": {
        "addr": "mongoose.link",
        "enable": false
      },
      "upload_acl": "*"
    }
    

    then i run mos config-set http.ssl_ca_cert=ca.crt.pem http.ssl_cert=server.crt.pem http.ssl_key=server.key.pem ans it gives that error and goes in bootloop.

  • SergeySergey Dublin, Ireland
    edited February 9

    try NOT to set ssl_ca_cert, and change port to 443

  • I ran that command mos config-set http.ssl_cert=server.crt.pem http.ssl_key=server.key.pem and still gives same result

  • SergeySergey Dublin, Ireland

    clearly you have a problem with generated certificate. make sure they're in PEM format. generate RSA 1024-bit cert for a start.

  • iH8c0ff33iH8c0ff33 Italy
    edited February 9

    Are these correct (should be 1024bit)?

    ~/D/c/users $ cat server.key.pem
    -----BEGIN RSA PRIVATE KEY-----
    MIIBPAIBAAJBAMU0Yw0pj+uln43CvoN6cr/JA5lohC+vm7WGdwuEu7nkYIlcxuGs
    UWrWkTUwsaq+g7JMixpYL0Lb93LbYFCV9O0CAwEAAQJBAIWND9OXJReCR8a6b0kd
    QN7vJBfddz/QHpRVpwNO9c9SUCw5xDgcqH8PUE/TP4uYLQULUpIudegfs5KY8G0f
    NIECIQD1M4F0XTqBK6d0jGd0NEQJGYc4l+ZHdMK7gN6dOcw1oQIhAM3jv854ych5
    JEiHnHp9J1GHCziIkIhtoad+QXnOeiPNAiAKQ0Cc1TYYp/IXT7UYyQM7+kSNmtX5
    kaqA3JD0tbGVYQIhAIRuG6+IzfGeyhHE+Ido/ONZw4Png1/ddH8xnJfmkXV5AiEA
    tOwoiyKOHHmHCdMccYbMzd/zzi2bbTc7wqbjNdxQ4EQ=
    -----END RSA PRIVATE KEY-----
    ~/D/c/users $ cat server.crt.pem
    -----BEGIN CERTIFICATE REQUEST-----
    MIIBNjCB4QIBADB8MQswCQYDVQQGEwJJVDEOMAwGA1UECAwFSXRhbHkxDjAMBgNV
    BAcMBVR1cmluMRAwDgYDVQQKDAdEZXV0cm9uMRgwFgYDVQQLDA9EZXV0cm9uIFNl
    cnZlcnMxITAfBgNVBAMMGG1vbmdvb3NlLW9zLUNBRjFFRC5sb2NhbDBcMA0GCSqG
    SIb3DQEBAQUAA0sAMEgCQQDFNGMNKY/rpZ+Nwr6DenK/yQOZaIQvr5u1hncLhLu5
    5GCJXMbhrFFq1pE1MLGqvoOyTIsaWC9C2/dy22BQlfTtAgMBAAGgADANBgkqhkiG
    9w0BAQsFAANBAEl6F4RupXBvBU4e1vEypkA53+Jyh3A6opiS1ldRuCVKH0c1u6G7
    L67qe1txix45L/1bcvoH3sNXy7UQp7/8xpU=
    -----END CERTIFICATE REQUEST-----
    
  • SergeySergey Dublin, Ireland

    that's not a certificate. that's a certificate request you're showing.

  • Ok... I just realized that was the CSR and not the actual certificate...

  • SergeySergey Dublin, Ireland

    show openssl command sequence you're using please

  • @Sergey said:
    show openssl command sequence you're using please

    I am following that guide
    https://jamielinux.com/docs/openssl-certificate-authority/introduction.html

Sign In or Register to comment.