[MQTT TLS] Add TLS support for MQTT

docs/source/Controller/C016.rst

@@ -45,7 +45,7 @@ Each time a plugin sends data to this controller, a sample set is stored.
 
 A typical sample set contains:
 
-- Timestamp (Default: Unix Time, but can be switched to "local time" in the controller settings)
+- Timestamp (Default: Unix Time, but can be switched to "local time" in the controller settings with the "Use Local System Time" checkbox)
 - task index delivering the data
 - 4 float values
 

docs/source/Controller/_Controller.rst

@@ -76,6 +76,28 @@ before WiFi connection is made or during lost connection.
   For almost all controllers, sending data is a blocking call, so it may halt execution of other code on the node.
   With timouts longer than 2 seconds, the ESP may reboot as the software watchdog may step in.
 
+TLS configuration
+-----------------
+
+Added: 2024-10-02
+
+Some protocols like MQTT may use TLS to provide a secure connection to the host.
+Where the default port for not encrypted connections to a MQTT broker is port 1883, its TLS counterpart is by default using port 8883.
+
+.. note:: The current (2024-10-02) implementation does only allow to set to use TLS for MQTT controllers. There is not yet a proper validation of the used certificate.
+
+Future implementations will add various ways to validate the used certificates using:
+
+- Root CA, allowing to validate whether a certificate was signed by a known certificate authority (CA).
+- Fingerprint, check whether a certificate is still the same as before.
+- Check whether a certificate has expired.
+
+To summarize, the current implementation does allow to encrypt the connection to the MQTT broker.
+However a man-in-the-middle attack is still perfectly possible as the used certificates are not validated.
+
+This does make using it extremely simple as even self-signed certificates can be used.
+However do not consider this to be a 'secure' method since some attacker can redirect to another host and serve some false certificate.
+
 
 
 Sample ThingSpeak configuration

lib/lib_ssl/bearssl-esp8266/bearssl_esp8266-customized.txt

@@ -0,0 +1,13 @@
+This library is adapted from bearssl-esp8266 to avoid conflict with the
+BearSSL headers in Arduino Core.
+
+To recreate, copy all original 'src/' and 'inc/' into 'src/' lib.
+
+Then rename the following:
+ - "bearssl with "t_bearssl
+ - "inner with "t_inner
+ - "config with "t_config
+
+Add the customized files in src/:
+ - t_bearssl_tasmota_config.h
+ - pgmspace_bearssl.h

lib/lib_ssl/bearssl-esp8266/conf/esp8266.mk

@@ -0,0 +1,21 @@
+# Configuration for compiling to an ESP8266 from a UNIX system
+
+# We are on a Unix system so we assume a Single Unix compatible 'make'
+# utility, and Unix defaults.
+include conf/Unix.mk
+
+# We override the build directory.
+BUILD = esp8266
+
+# C compiler, linker, and static library builder.
+TOOLCHAIN_PREFIX := xtensa-lx106-elf-
+CC := $(TOOLCHAIN_PREFIX)gcc
+CFLAGS = -W -Wall -g -O2 -Wpointer-arith -Wl,-EL -nostdlib -mlongcalls -mno-text-section-literals -ffunction-sections -fdata-sections -Werror
+CFLAGS += -D__ets__ -DICACHE_FLASH -DESP8266 -DBR_SLOW_MUL15=1
+LD := $(TOOLCHAIN_PREFIX)ld
+AR := $(TOOLCHAIN_PREFIX)ar
+
+# We compile only the static library.
+DLL = no
+TOOLS = no
+TESTS = no

lib/lib_ssl/bearssl-esp8266/library.properties

@@ -0,0 +1,9 @@
+name=BearSSL
+version=0.6
+author=Thomas Pornin <[email protected]>
+maintainer=Earle F. Philhower, III <[email protected]>
+sentence=BearSSL implementation of the SSL/TLS protocol optimized for ESP8266 by Earle F. Philhower, optimized for Tasmota by Stephan Hadinger
+paragraph=
+category=Other
+url=https://github.com/earlephilhower/bearssl-esp8266.git
+architectures=esp8266,esp32