diff --git a/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.cpp b/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.cpp index ff87d3112..6f66915f3 100755 --- a/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.cpp +++ b/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.cpp @@ -204,6 +204,8 @@ void WiFiClientSecure_light::_clear() { _ta_P = nullptr; _ta_size = 0; _max_thunkstack_use = 0; + _alpn_names = nullptr; + _alpn_num = 0; } // Constructor @@ -949,8 +951,6 @@ extern "C" { // we support only P256 EC curve for AWS IoT, no EC curve for Letsencrypt unless forced br_ssl_engine_set_ec(&cc->eng, &br_ec_p256_m15); // TODO #endif - static const char * alpn_mqtt = "mqtt"; - br_ssl_engine_set_protocol_names(&cc->eng, &alpn_mqtt, 1); } } @@ -983,6 +983,9 @@ bool WiFiClientSecure_light::_connectSSL(const char* hostName) { _eng = &_sc->eng; // Allocation/deallocation taken care of by the _sc shared_ptr br_ssl_client_base_init(_sc.get()); + if (_alpn_names && _alpn_num > 0) { + br_ssl_engine_set_protocol_names(_eng, _alpn_names, _alpn_num); + } // ============================================================ // Allocatte and initialize Decoder Context diff --git a/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.h b/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.h index d0ff43407..3736749ab 100755 --- a/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.h +++ b/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.h @@ -93,6 +93,12 @@ class WiFiClientSecure_light : public WiFiClient { void setTrustAnchor(const br_x509_trust_anchor *ta, size_t ta_size); + void setALPN(const char **names, size_t num) { + // set ALPN extensions, used mostly by AWS IoT on port 443. Need to be static pointers + _alpn_names = names; + _alpn_num = num; + } + // Sets the requested buffer size for transmit and receive void setBufferSizes(int recv, int xmit); @@ -165,6 +171,10 @@ class WiFiClientSecure_light : public WiFiClient { // record the maximum use of ThunkStack for monitoring size_t _max_thunkstack_use; + // ALPN + const char ** _alpn_names; + size_t _alpn_num; + }; #define ERR_OOM -1000 @@ -237,6 +247,44 @@ class WiFiClientSecure_light : public WiFiClient { // #define BR_ERR_X509_WEAK_PUBLIC_KEY 60 // #define BR_ERR_X509_NOT_TRUSTED 62 +// Alert types for TLSContentType.ALERT messages +// See RFC 8466, section B.2 + +// CLOSE_NOTIFY = 0 +// UNEXPECTED_MESSAGE = 10 +// BAD_RECORD_MAC = 20 +// DECRYPTION_FAILED = 21 +// RECORD_OVERFLOW = 22 +// DECOMPRESSION_FAILURE = 30 +// HANDSHAKE_FAILURE = 40 +// NO_CERTIFICATE = 41 +// BAD_CERTIFICATE = 42 +// UNSUPPORTED_CERTIFICATE = 43 +// CERTIFICATE_REVOKED = 44 +// CERTIFICATE_EXPIRED = 45 +// CERTIFICATE_UNKNOWN = 46 +// ILLEGAL_PARAMETER = 47 +// UNKNOWN_CA = 48 +// ACCESS_DENIED = 49 +// DECODE_ERROR = 50 +// DECRYPT_ERROR = 51 +// EXPORT_RESTRICTION = 60 +// PROTOCOL_VERSION = 70 +// INSUFFICIENT_SECURITY = 71 +// INTERNAL_ERROR = 80 +// INAPPROPRIATE_FALLBACK = 86 +// USER_CANCELED = 90 +// NO_RENEGOTIATION = 100 +// MISSING_EXTENSION = 109 +// UNSUPPORTED_EXTENSION = 110 +// CERTIFICATE_UNOBTAINABLE = 111 +// UNRECOGNIZED_NAME = 112 +// BAD_CERTIFICATE_STATUS_RESPONSE = 113 +// BAD_CERTIFICATE_HASH_VALUE = 114 +// UNKNOWN_PSK_IDENTITY = 115 +// CERTIFICATE_REQUIRED = 116 +// NO_APPLICATION_PROTOCOL = 120 + }; #endif // USE_TLS diff --git a/tasmota/xdrv_02_9_mqtt.ino b/tasmota/xdrv_02_9_mqtt.ino index 181917fa1..f5302330f 100644 --- a/tasmota/xdrv_02_9_mqtt.ino +++ b/tasmota/xdrv_02_9_mqtt.ino @@ -216,6 +216,12 @@ void MqttInit(void) { tlsClient = new BearSSL::WiFiClientSecure_light(1024,1024); #endif +#ifdef USE_MQTT_AWS_IOT_LIGHT + if (443 == Settings->mqtt_port) { + static const char * alpn_mqtt = "mqtt"; // needs to be static + tlsClient->setALPN(&alpn_mqtt, 1); // need to set alpn to 'mqtt' for AWS IoT + } +#endif #ifdef USE_MQTT_AWS_IOT loadTlsDir(); // load key and certificate data from Flash if ((nullptr != AWS_IoT_Private_Key) && (nullptr != AWS_IoT_Client_Certificate)) {