Wled: MQTT authentication support

Created on 12 Nov 2018  路  10Comments  路  Source: Aircoookie/WLED

would you like to add support for username and password to mqtt broker in the future?

enhancement
Source
picture phamre

All 10 comments

From a security standpoint this wouldn't make any sense without also adding transport layer security, since username and password are transmitted in clear. Secure connections come with a big overhead on the ESP8266, so pursuing them is not a top priority. If I implement secure connections later (perhaps ESP32 only, it depends), MQTT auth will certainly be added. For the near future, I might add username support, but not for password, since the connection is unsafe anyways. Users who use the same password for other services might get into trouble, so I'm not adding it until the whole transmission is more secure.

Aircoookie picture Aircoookie on 12 Nov 2018
👍1

Ok. Thanks for answer.. You doing a Great job here.. Thanks..

phamre picture phamre on 12 Nov 2018

Add in wled00.ino:

char MQTT_USER[33] = "";
char MQTT_PASS[65] = "";

And following change in wled17_mqtt.ino

bool reconnectMQTT()
{
  if (mqtt->connect(escapedMac.c_str(), MQTT_USER, MQTT_PASS))
.
.
.

@Aircoookie Let me know if you want me to create a PR for this.

debsahu picture debsahu on 13 Nov 2018

@debsahu your solution is valid, yet I don't want to just add the feature at this time because the password is broadcast in clear every time a connection is made. However, I'm considering adding it in the next version, clearly warning the user that the "password" is NOT safe in this implementation.

In the meantime @phamre and anyone interested: feel free to use debsahu's code, it will work without problems. Choose a password that you use absolutely nowhere else and be aware that you might as well not use any authentication.
(consider this a workaround in case the broker is setup to absolutely require auth)

Aircoookie picture Aircoookie on 14 Nov 2018

@Aircoookie I see what you are saying. The mosquitto server that everyone sets up is slightly different, some have username & password and TLS etc. I suspect most of the people connect to a MQTT server locally (eg, Mosquitto or Mosca on a RPi) which may not be accessible to outside network for a man-in-the-middle attack. Data flowing encrypted should be fine for most users of your fantastic project here. That being said, someone has been successful in getting TLS on ESP8266 using PubSubClinet.

Another suggestion is to move from PubSubClient to AsyncMQTT with native SSL/TLS support and completely async. The only issue is it requires flags for compiling for SSL support which is only possible via PIO and not ArduinoIDE.

I have not tested SSL/TLS for ESP8266 at all, but ESP32 should be able to do SSL/TLS with no issues.

debsahu picture debsahu on 14 Nov 2018

I think I figured out TLSv1.2 2-way handshake on ESP8266 and ESP32 connecting to a letsencrypt secured mosquitto server. I will create a video tutorial soon. Maybe @Aircoookie can implement the secured MQTT once I get everything in order.

debsahu picture debsahu on 16 Nov 2018
👍1

@phamre Please have a look at https://github.com/debsahu/ESP_MQTT_Secure to secure that MQTT connection. Video instructruction included!

debsahu picture debsahu on 18 Nov 2018
👍1

@debsahu thanks. I Will look at it tomorrow

phamre picture phamre on 18 Nov 2018

Add in wled00.ino:

char MQTT_USER[33] = "";
char MQTT_PASS[65] = "";

And following change in wled17_mqtt.ino

bool reconnectMQTT()
{
  if (mqtt->connect(escapedMac.c_str(), MQTT_USER, MQTT_PASS))
.
.
.

@Aircoookie Let me know if you want me to create a PR for this.

I looked for a complete simple solution for LEDs automation, tested DrZzs and The Hook Up variants, and found this great project. @Aircoookie, thank you for your great neat work.

I use Home Assistant with Mosquitto add-on. Mosquitto allows to connect to it anonymously but in this case anonymous client data can't be written - client can only read data. So authentication is required to use full mqtt functionality. And WLED client can't publish any data to Mosquitto without authentication as far as I check it with MQTT Explorer.

I found here @debsahu workaround code to add to wled00.ino and wled17_mqtt.ino. But I'm not coder at all and I'm not sure in what part of wled17_mqtt.ino should I add this code:

bool reconnectMQTT()
{
if (mqtt->connect(escapedMac.c_str(), MQTT_USER, MQTT_PASS))

Thanks.

sunfos2019 picture sunfos2019 on 27 May 2019

Add in wled00.ino:

char MQTT_USER[33] = "";
char MQTT_PASS[65] = "";

And following change in wled17_mqtt.ino

bool reconnectMQTT()
{
  if (mqtt->connect(escapedMac.c_str(), MQTT_USER, MQTT_PASS))
.
.
.

@Aircoookie Let me know if you want me to create a PR for this.

i get error when i add if (mqtt->connect(escapedMac.c_str(), MQTT_USER, MQTT_PASS)) to wled17_mqtt.ino ?

phamre picture phamre on 28 May 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

athlon1900 picture athlon1900  路  3Comments
Mombonav picture Mombonav  路  4Comments
ArJay60 picture ArJay60  路  3Comments
rfordhamjr picture rfordhamjr  路  4Comments
CollaVinilica picture CollaVinilica  路  3Comments