SSL/TLS Help

[henkep]

Hi
Some background, I am using NONOS 1.5.4 and the Tuanpmt MQTT client in C.
I am trying to setup a connection to a MQTT server running TLS 1.1, the server is running a "real" bought certificate for the TLS. No self signed stuff.

If I start the MQTT client but omit espconn_secure_ca_enable() everything works just fins but then I imagine the client will trust any kind of certificate the server has installed.
I want to make it a bit more secure so that the client actually verifies the server certificate based on a local cert (or key or whatever it needs to be) flashed to the ESP. This is where it gets tricky.
I can´t figure out how to create a client certificate and burn to the ESP and make it work. I think I have tried every possible solution now. I have exported a .cer file from our valid certificate and run the make_cacert.py in SDK tools folder but when I burn that to flash to address 0x82000 and setup espconn_secure_ca_enable(0x01, 0x82) I get the following: "Error: No trusted cert is available" and handshake failed

Is there someone out there that can help me figure out the correct steps to have my ESP securely connect to my MQTT server.

It also looks like the way Espressif is doing this has changed, I found the "TLS_BiDirectVerif_Demo" but I cant make sense of how they use that.. In there they introduce a new method: espconn_secure_cert_req_enable(), what the heck is this?

I need a way to generate the correct files for the ESP and then burn them, activate "espconn_secure_ca_enable" (if that is the correct method) and get the ESP to securely connect to my own server.

Any help is greatly appreciated!!

Regards
Henrik

[jinhucn]

You should use the ca.cer (root certificate) but not the server.cer (server certificate), then run make_cacert.py and burn it to flash.

[henkep]

Ahh, thank you so much! I needed someone to point me in the correct direction. Now everything works as expected, TLS 1.2 connection made with CA root certificate validation.

Thanks again!!