Wled: Add MQTTS

This is an ESP32-only request - at the moment. Perhaps eventually it will be a raspberry pi request, or some other microcontroller based system with enough processing power and memory to handle certificates AND certificate management. Since certs have an end date, they need to get updated in a secure way as well. All these things drive up the complexity and hardware requirements.

ESP8266 is not capable of handling https/mqtts, and I think most WLED systems are running on ESP8266's, so while in certain applications this request is important, there are other ways to enhance security.

@huggy-d1 is correct. I've attempted making a TLS connection on an ESP8266 and it only works if literally nothing else runs on the system as there is no hardware accelaration and way too little free RAM.

On an ESP32 supporting secure MQTT is possible though - cert management remains an issue though. Usually arduino sketches just use a hardcoded fingerprint for the specific server they want to contact, which frankly sucks because it expires after a year or so and only is valid for that specific server. The alternative is not verifying the server signature at all, which gives you encryption, however is of limited use since you can't verify the authenticity of the server you are connecting to.

I'm very keen if someone has good ideas on this point :)

mqtts as client on an esp8266 is possible .
have a look @ https://github.com/fablab-ka/co2-ampel/blob/master/Software/co2ampel/data/config.json
i would like to have the option to add mqtts credentials in wled to connect to my mqtts broker

Of course it is possible, just not with the overhead of hosting a full embedded webserver, filesystem and driving potentially more than 1k individually addressable LEDs. And if it barely works, it would drastically reduce stability.

Security should of course be a given in 2020, but its only possible when there are enough resources. Given that no sensitive data is transmitted, stability is more important for this project at this point.

I would however accept a PR that adds it optionally with a compile time define :)

mqtts as client on an esp8266 is possible .
have a look @ https://github.com/fablab-ka/co2-ampel/blob/master/Software/co2ampel/data/config.json
i would like to have the option to add mqtts credentials in wled to connect to my mqtts broker

I just checked your link. They cheated. Hard-coded the SSL fingerprint into the firmware. It is not at all what you think it is, and in a short period of time, your MQTTS server will stop accepting SSL data from an esp8266 using this software.
That said, if your desire to use WLED is seasonal, that solution should work fine.

I think there are two possible options that may still be feasible.
1) TLS-PSK (a la mosquitto) - not entirely sure whether there are any libraries that support this on any modern platform, unfortunately.
2) saving the fingerprint of the server's public key (or even the entire public key), not the entire certificate. If you keep the same private and public keypair across certificate renewals, even though the validity period changes, and therefore the signature changes, and thus the fingerprint of the certificate as a whole, you are not giving up a whole lot of security in the process.

Creating a self-signed certificate manually so you can use the same key fingerprint for extended periods of time?