esp32 https服务器的SSL证书 [英] SSL certificate for esp32 https server
问题描述
我对不安全的SSL证书有疑问。我的保护对象包括两个部分:
I have a problem with insecure SSL certificates. My proyect consist on two parts:
- 带有https服务器的ESP32物联网设备
- VUE2 + Vuetify将PWA Web应用程序部署到Firebase托管。
想象一个客户端购买了我的物联网设备,并将其连接到电源。设备将以AP模式启动,从而创建一个WiFi AP网络。
客户端登录到Web应用程序,并想要添加他的新设备。因此,为此,物联网设备需要客户端wifi凭据。
Web应用程序向客户端询问他的ssid和密码,当客户端单击配置设备时,Web应用程序向esp32服务器发送https POST请求,这就是问题所在...
由于esp32服务器中使用的SSL证书未经授权机构验证,因此Web应用无法发出POST请求...
Imagine that one client buy my iot device, and connect it to the power. The device will boot in AP mode, creating a WiFi AP net. The client login to the web app and wants to add his new device. So, for that, the iot device needs clients wifi credentials. The web app asks to the client his ssid and password, and when the client click on 'Configure device', the web app send a https POST request to the esp32 server, and here is the problem... Because the SSL certificate used in esp32 server is not validated by an authority, the web app can´t make the POST request...
如何获取许多物联网设备的有效服务器SSL证书?我不知道该如何处理这种情况...
How can I get a valid server SSL certificate for a lot of iot devices? I don´t know how to manage this situation...
谢谢大家!
推荐答案
可以为该设备获取有效的SSL证书,但我不建议这样做。如果需要,可以按照以下方法进行操作:
It is possible to get a valid SSL certificate for the device, but I wouldn't recommend it. Here is how you could do it if you wanted to:
-
请确保当您的设备处于AP模式时,始终可以使用完全相同的设备IP地址。例如,确保ESP32在
192.168.1.1处监听。
注册像 example.com 这样的域。为您的DNS服务器添加 iot.example.com 的A记录,其值为 192.168.1.1 。
Register a domain like example.com. Add an A record to your DNS server for iot.example.com, with the value 192.168.1.1.
从任何受信任的授权机构获得 iot.example.com 的有效SSL证书。将证书和相关密钥放在您的设备上。
Obtain a valid SSL certificate for iot.example.com from any trusted authority. Put that certificate and associated key on your device.
现在,当用户连接到您的软AP时,他们可以浏览到 https://iot.example.com 并实际看到有效的证书。
Now, when your user connects to your soft AP, they can browse to https://iot.example.com and actually see a valid certificate.
但是,我真的建议您不要这样做。您将要解决三个主要问题:
However, I would really recommend not doing this. You'll have three major issues to contend with:
-
SSL证书的密钥将在设备的闪存上。如果有人提取它,他们可以伪装成
iot.example.com。您可以通过使用闪存加密来缓解这种情况,但效果仍然不理想。
The key for your SSL certificate will be on your device's flash. If anyone extracts it, they can masquerade as
iot.example.com. You can mitigate this by using flash encryption, but it's still not great.
SSL证书的最长有效期约为两年。因此,您的置备流程将在几年后中断。
The maximum validity period for an SSL certificate is around two years. So your provisioning flow will break after a couple years.
如果颁发您证书的CA听到私钥在周围浮动并且可能可能会受到威胁,他们可能会吊销您的证书。
If the CA that issued your certificate hears that the private key is floating around and could potentially be compromised, they will probably revoke your certificate.
相反,您应该做什么 >使用WPA2和可以提供给用户的密码来保护您的软AP。这样可以确保对连接进行加密,并且可以通过HTTP而不是HTTPS来提供配置表单。
Instead, what you should do is secure your soft AP with WPA2, and a password that you can give to users. This will ensure that the connection is encrypted, and you can serve your provisioning form over HTTP instead of HTTPS.
比起自己尝试实现此方法,更好的方法是使用< a href = https://docs.espressif.com/projects/esp-idf/zh-cn/v3.3.1/api-reference/provisioning/provisioning.html rel = nofollow noreferrer> ESP-IDF统一配置API 。它负责实现细节,并支持Wi-Fi和蓝牙作为传输。
An even better approach rather than trying to implement this yourself, is to use the ESP-IDF unified provisioning API. It takes care of the implementation details, and supports both Wi-Fi and Bluetooth as transports.
无论您决定做什么,我强烈建议阅读有关统一配置的ESP-IDF文档和有关Wi- Fi配置,因为它们将使您了解幕后情况以及安全实施所需的全部条件。特别是,您会看到Wi-Fi设置库实际上使用了我上面建议的静态WPA2密码。
Regardless of what you decide to do, I'd highly recommend reading the ESP-IDF documentation on unified provisioning and the documentation on Wi-Fi provisioning, since they'll give you an idea of what's going on under the hood and what all is required for a secure implementation. In particular, you'll see that the Wi-Fi provisioning library does actually use a static WPA2 password like I suggested above.
这篇关于esp32 https服务器的SSL证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
