Nodemcu-firmware: MQTT over TLS with ECC
This may not be a real bug report (yet) but I've just failed to test my idea how to save precious memory with TLS connection and I don't know if it is my fault or NodeMCU's. In #1699 I found out that MQTT over secure connection takes about 17 kB of memory on the heap. The idea is to try out installing ECC certificate on the MQTT server to see if it saves memory on the NodeMCU client as well.
ECC https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography uses 6-30 times shorter keys (e.g. 224 bytes instead of 2 kB) so there's hope to save memory, right?
Expected behavior
NodeMCU MQTT connects and proceeds normally.
Actual behavior
MQTT fails to connect with reason = -5
FYI, at the same time the Mosquitto on the server reports this:
1522578760: Client connection failed: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher.
Test code
m=mqtt.Client(node.chipid(), 120)
m:connect("eccbroker", 8883, 1, 0, function(c) print("OK") end, function(c, r) print(r) end)
mosquitto_pub connects OK so the broker is configured well.
NodeMCU used to connect to my broker OK until I replaced the SSL certificates with ECC ones (generated by LE using ACME.sh).
NodeMCU version
Lua 5.1.4 on SDK 2.2.1(cfd48f3)
branch: dev commit: 9af4f58417103a21d31f70fc6e44bfba55d36789
Hardware
plain ESP8266 v07
joysfera
All 5 comments
Ah, NodeMCU documentation in "TLS" chapter says ECDSA-based cipher suites are disabled by default.
Can they be enabled?
joysfera
on 1 Apr 2018
There are some cipher suite configs in app/include/user_mbedtls.h mentioned in the docs right below that sentence and the full config in app/include/mbedtls/config.h.
marcelstoer
on 1 Apr 2018
I've just made this point on another issue, but I've really got to ask myself: we we expect LUA application developers to implement LTS or MQTT over TLS without it?
If the answer is no, then wat some point in the near future, we should just embrace the fact that you can't run TLS without LFS enables and exploit LFS to simplify the implementation.
TerryE
on 1 Apr 2018
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 21 Jul 2019
ECDSA ciphers are now enabled in TLS and I have successfully brought up MQTT connections using them, but only with LFS; even my modest application running in RAM was enough to deplete memory too much for TLS negotiation.
nwf
on 21 Jul 2019
Related issues
liuyang77886
·
5Comments
ShAzmoodeh
·
6Comments
v1993
·
5Comments
nwf
·
6Comments
tibinoo
·
5Comments
Most helpful comment
I've just made this point on another issue, but I've really got to ask myself: we we expect LUA application developers to implement LTS or MQTT over TLS without it?
If the answer is no, then wat some point in the near future, we should just embrace the fact that you can't run TLS without LFS enables and exploit LFS to simplify the implementation.