ESP32 V4.4/release: How to force a specific curve for my tls handshake during MQTT?

irfan93
Posts: 4
Joined: Thu Jul 07, 2022 2:05 pm

ESP32 V4.4/release: How to force a specific curve for my tls handshake during MQTT?

Postby irfan93 » Fri Apr 19, 2024 2:15 pm

Hello,

So currently I am my development is based on esp-idf V4.4/release and unfortunately due to dependencies and time constraint, I am not able to update this to the latest version.

I am here to ask help on How to guide:
1. Hardware: ESP32 WROOM32D
2. I am using MQTT connection to do DPS(Device Provisioning Service) with the cloud server.
3. I have an ATECC608A security chip on my hardware that I am using as my client certificate generator.
4. I am using mbedtls as my tls layer integration.
5. Previous Task watchdog timer = 5 seconds; current Task watchdog timer = 15 seconds.
6. MQTT timeout previous = 20 seconds; current MQTT timeout = 35 seconds.

Issue: My cloud server provider is Azure. So when MQTT is initiated with transport layer being SSL/TLS, during TLS handshake, the client(my device) and the server will negotiate between a list of cipher suites/curves to be used for encryption where previously Azure used to select secp384r1 as the intended curve which is around 380+ bits per axis and the handshake is usually successful within the 5 seconds and everything was fine.

Recently Azure as part of their OS update intended to update their cipher suites/curves prioritization such that a much complex encryption brainpoolP512r1 is selected. This curve is supported on my device on the configuration level but my devices started failing due to the handshake being longer than 5 seconds and as such my task gets reset which leads to the device never being able to successfully complete dps.

Now I have updated my device's firmware such that I have a longer timeout for my dps mqtt task and my task watchdog is also triple to its value. The problem is that currently Azure have put a temporary solution that during dps that causes their server to choose secp384r1 which doesn't let me test my current code fixes.

My question is that how can I force my mqtt config to force itself to use only the curve brainpoolP512r1 in the esp-idf v4.4? I believe there are various way to do this in the latest esp-idf version 5.1 and above.

Note: I have tried disabling all curves in my mbedtls configuration but I am unable to disable secp256r1 as I am using it for interaction with the security chip ATECC608A.

Who is online

Users browsing this forum: Baidu [Spider] and 261 guests