Switching from SSL/TLS to mTLS
Posted: Mon May 01, 2023 8:19 pm
by mzincali
Hi. I am just starting to research what it would take to have my ESP32 program which uses WiFiClientSecure, to use mTLS instead. I'm not sure where to start. I looked at
https://docs.espressif.com/projects/esp ... p_tls.html, but that looks like what is supporting WiFiClientSecure, if I am not mistaken. What more do I need to move to mTLS?
Thank you.
Re: Switching from SSL/TLS to mTLS
Posted: Tue May 02, 2023 11:08 am
by a2800276
What's your motivation to use mTLS?
WifiClientSecure is an Arduino library that is intended to be easy to use. mTLS is a low level implementation. To answer "what more do you need to do?" it would be necessary to know what you are trying to do. If you want to make https calls for example, you can just use the
http_client component which will automatically use tls if provided with https urls.
Re: Switching from SSL/TLS to mTLS
Posted: Tue May 02, 2023 9:24 pm
by mzincali
Thank you. I'm currently using WifiSecure and:
Code: Select all
WiFiClientSecure* client = new WiFiClientSecure;
if (client) {
client->setCACert(rootCACertificate);
HTTPClient https;
if (https.begin(*client, checkinURL)) {
int httpCode = https.GET();
I was told that the back-end needs to use mTLS: "I can do some research on how we can get mTLS working, mostly how to issue the certificates. You should familiarize yourself with the HTTP client you're using, make sure it supports mTLS in the first place."
Thus I need to know if I have to do anything different in order to support using the new certificates, etc.
-mz
Re: Switching from SSL/TLS to mTLS
Posted: Thu May 04, 2023 10:48 am
by a2800276
I'm afraid I misunderstood your question... I thought you wanted to use the mbedTLS low(er) level TLS library, but now I believe you meant you want to use mutual TLS, i.e. client certificate authentication. A typical browser TLS connection only the server is authenticated with a certificate. It's not uncommon for non-interative sessions to also authenticate the client with a certificate. "tls client authenticate" or "tls client certificate" will probably get you better search results than "mTLS" ...
I can't answer the question for arduino, but if you are using the IDF, it's fairly straightforward. Both the
http client library and the
mqtt library support this more or less out of the box. The hard part is setting up the infrastructure to sign certificates and getting them onto the device securely.
Re: Switching from SSL/TLS to mTLS
Posted: Fri May 05, 2023 11:04 am
by mzincali
I can build the certificate into the devices with the risk that an attacker with a device can extract the private key. Given the low value of the exploit, I doubt anyone will really waste time trying to take over some sensor devices.
On the other end I have a server that accepts input from the devices, and there I would prefer to be able to filter out any access that isn't my devices.
Another idea would be to have each device have a unique certificate, and in the case of one private key getting extracted, I could revoke that certificate, I assume.
If anyone has any good advice on how best to prevent the server from handling calls from any but my devices, I'd appreciate it. Yes, I realize that there are still other ways to impact me with DDoS.