RPC Security with mTLS

2

Comments

  • SergeySergey Dublin, Ireland

    that's a tutorial for creating CA cert. you don't need it for now.
    give me some time, I'll put together a quick howto

  • Ok thanks for all your help!

  • SergeySergey Dublin, Ireland
    $ openssl req  -nodes -new -x509  -keyout key.pem -out cert.pem
    $ mos put cert.pem
    $ mos put key.pem
    $ mos config-set http.listen_addr=443 http.ssl_key=key.pem http.ssl_cert=cert.pem
    $ mos config-set wifi.........
    $ curl -k https://192.168.0.206   # YOUR IP could be different
    <html>
    <body>
      <h1>Welcome to Mongoose OS</h1>
    ...
    
  • iH8c0ff33iH8c0ff33 Italy
    edited February 9

    @Sergey said:
    ```
    $ openssl req -nodes -new -x509 -keyout key.pem -out cert.pem
    $ mos put cert.pem
    $ mos put key.pem
    $ mos config-set http.listen_addr=443 http.ssl_key=key.pem http.ssl_cert=cert.pem
    $ mos config-set wifi.........
    $ curl -k https://192.168.0.206 # YOUR IP could be different


    Welcome to Mongoose OS

    ...
    ```

    That works! thanks. How should I implement mTLS now? Can I just add a CA and sign a new cert?

    PS: I tried with the tutorial and it works now, but I don't know how to add the CA cert to mos tool

  • SergeySergey Dublin, Ireland

    what do you mean by implementing mtls ?

  • @Sergey said:
    what do you mean by implementing mtls ?

    Using a CA to validate client certificate, is it correct?

  • SergeySergey Dublin, Ireland

    ah, "m" means mutual, ok.
    Yeah, you need CA cert to verify the client.
    generate CA cert now, and set it.

  • iH8c0ff33iH8c0ff33 Italy
    edited February 9

    @Sergey said:
    ah, "m" means mutual, ok.
    Yeah, you need CA cert to verify the client.
    generate CA cert now, and set it.

    Shouldn't I also sign a client certificate with the CA?

    PS: I tried, it gives an error:

    E0209 23:10:09.900432   87276 reconnect_wrapper.go:93] [reconnectWrapperCodec to wss://mongoose-os-CAF1ED.local/rpc; connect in 2.00s] connection error: tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config
    tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config
    
  • SergeySergey Dublin, Ireland

    please show the whole sequence of commands, as I did.

  • OK here it is:

    $ mos config-set wifi.
    $ mos put server.crt.pem
    $ mos put server.key.pem
    $ mos put ca.crt.pem
    $ mos config-set http.ssl_ca_cert=ca.crt.pem http.ssl_cert=server.crt.pem http.ssl_key=server.key.pem http.listen_addr=443
    $ mos --ca-cert-file ../certs/ca.crt.pem  --cert-file client.crt.pem --key-file client.key.pem --port wss://mongoose-os-CAF1ED.local/rpc ls
    

    the last line gives the error

  • SergeySergey Dublin, Ireland
    edited February 10

    Thanks, please include commands to generate CA cert!

  • iH8c0ff33iH8c0ff33 Italy
    edited February 10

    @Sergey said:
    Thanks, please include commands to generate CA cert!

    I will do that as soon as I get home this evening (19:00 GMT+01), thanks for your precious time and help

  • Ok here are all the commands I run to configure the certificates:

    openssl genrsa -out ca.key.pem 1024
    openssl req -key ca.key.pem -new -x509 -days 365 -sha256 -out ca.cert.pem
    openssl genrsa -out server.key.pem 1024
    openssl req -key server.key.pem -new -sha256 -out server.csr.pemopenssl ca -keyfile ca.key.pem -cert ca.cert.pem  -days 365 -notext -md sha256 -in server.csr.pem -out server.cert.pem
    openssl genrsa -out client.key.pem 1024
    openssl req -key client.key.pem -new -sha256 -out client.csr.pem
    openssl ca -keyfile ca.key.pem -cert ca.cert.pem  -days 365 -notext -md sha256 -in client.csr.pem -out client.cert.pem
    

    Then I configure the esp doing as following:

    mos flash (from a fresh mos init generated folder)
    mos config-set wifi....
    mos put ca.cert.pem
    mos put server.key.pem
    mos put server.cert.pem
    mos config-set http.ssl_ca_cert=ca.cert.pem http.ssl_cert=server.cert.pem http.ssl_key=server.key.pem http.listen_addr=443
    mos --verbose=true --cert-file client.cert.pem --key-file client.key.pem --port wss://192.168.1.6/rpc call RPC.List
    

    NOTE: I need to use wss:// instead of https:// beacause using https it just hangs (even turning on verbose doesn't show additional info)

    It throws that error

    E0210 20:42:42.691656   90614 reconnect_wrapper.go:93] [reconnectWrapperCodec to wss://192.168.1.6/rpc; connect in 2.00s] connection error: tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config
    tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config
    /Users/lsm/src/cesanta.com/common/go/mgrpc/mgrpc.go:112:
    /Users/lsm/src/cesanta.com/common/go/mgrpc/mgrpc.go:143:
    /Users/lsm/src/cesanta.com/common/go/mgrpc/mgrpc.go:188:
    
  • @Sergey said:
    Thanks, please include commands to generate CA cert!

    I did it now, sorry for the delay

  • SergeySergey Dublin, Ireland

    Thanks.
    Does curl https://IP/rpc/RPC.List work ?

  • iH8c0ff33iH8c0ff33 Italy
    edited February 12

    @Sergey said:
    Thanks.
    Does curl https://IP/rpc/RPC.List work ?

    I would need to pass it the client certificate. I tried with wscat (websocket client available on npm) but it gives ECONNESET, and the console displays mg_ssl_if_mbed_err 0x3fff36dc SSL error: -9984

    PS: I tried now with curl and it gives the same error, showing curl: (35) Unknown SSL protocol error in connection to 192.168.1.10:443 on curl (the curl command is

    curl -k --cert client.cert.pem --key client.key.pem https://192.168.1.10/
    rpc/RPC.List
    )
  • SergeySergey Dublin, Ireland

    does it work without client cert ?

  • @Sergey said:
    does it work without client cert ?

    curl gives same error, but in mos console i see: mg_ssl_if_mbed_err 0x3fff36dc SSL error: -29824

  • SergeySergey Dublin, Ireland

    So to conclude: you're able to see the web page (via curl or via browser), but calling RPC server fails?

  • @Sergey said:
    So to conclude: you're able to see the web page (via curl or via browser), but calling RPC server fails?

    No. It works only if I don't set ssl_ca_cert, but it seems that the esp is not able to verify the client cert when ssl_ca_cert is set

  • SergeySergey Dublin, Ireland

    Thanks.
    Let me put together a working example.

  • Sergey said:

    Thanks.
    Let me put together a working example.

    Thanks, I'll wait
  • @Sergey said:
    https://mongoose-os.com/docs/#/http/tls.md/

    Thanks! now it works, but the mos command line tool still doesn't trust the server certificate, but maybe it's because I should update it

  • SergeySergey Dublin, Ireland

    It's always a good idea to update mos :)

    Daniele, could you elaborate more on your architecture please? Is ray detector equipped with ESP8266 and local server is pulling for data? What software / services is used on the server side?
    What do you plan on the ESP8266 side - C, JavaScript, any functionality other than interrogating a ray detector?

  • Sergey said:

    It's always a good idea to update mos :)

    Daniele, could you elaborate more on your architecture please? Is ray detector equipped with ESP8266 and local server is pulling for data? What software / services is used on the server side?
    What do you plan on the ESP8266 side - C, JavaScript, any functionality other than interrogating a ray detector?

    As for the ray detector, I would simply use an interrupt on three pins to read data, on the other hand for data streaming to the local server I will use a websockets, constantly connected to the server and pushing data over encrypted connection, if possible with mutual TLS as the ESP server. The ESP server is needed for the local server to start a new recording session via an RPC call over mTLS. Again, please excuse me for my English, I tried to make it as clear as possible, but please feel free to ask for more information.

  • SergeySergey Dublin, Ireland

    So you need it the other way around.
    A local server would be a WebSocket server (or MQTT server) configured for mutual TLS.

    ESP would connect to it with client cert and send data periodically.
    MQTT looks like a better suit, because for each data report you won't need a response, really.

  • iH8c0ff33iH8c0ff33 Italy
    edited February 14
    Sergey said:

    So you need it the other way around.
    A local server would be a WebSocket server (or MQTT server) configured for mutual TLS.

    ESP would connect to it with client cert and send data periodically.
    MQTT looks like a better suit, because for each data report you won't need a response, really.

    Yes that's exactly what I need, but the ESP would also be a server, even if only for RPC, in order to start and stop the data recording. I dont't know about MQTT, is the TCP socket always open, or does it require a new one for every message? Because, as I said before, I need to send a lot of data really quickly.
    PS: Is there any websocket client documentation?

  • SergeySergey Dublin, Ireland

    You can not only report data via MQTT, you can also send RPC via MQTT.

    See https://mongoose-os.com/blog/secure-remote-device-management-with-mongoose-os-and-aws-iot-for-esp32-esp8266-ti-cc3200-stm32/

    AWS IoT uses mutual TLS

    Basically, just setup a local mosquitto server with mTLS, and you're set. Forget about websocket.

  • Sergey said:

    You can not only report data via MQTT, you can also send RPC via MQTT.

    See https://mongoose-os.com/blog/secure-remote-device-management-with-mongoose-os-and-aws-iot-for-esp32-esp8266-ti-cc3200-stm32/

    AWS IoT uses mutual TLS

    Basically, just setup a local mosquitto server with mTLS, and you're set. Forget about websocket.

    Thanks! That is absolutely perfect, would I get to know instantly that a client has disconnected?

Sign In or Register to comment.