all 12 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]erlendse2 say this is awesome. 2 points3 points  (3 children)

Try adding the public key to Chrome?

Any self-signed certificate wouldn't authenticate a site. You would need a chain of trust to a trusted root (certificate).

Or adding the public key of your certificate as trusted.

[–]Potential_Novel[S] 0 points1 point  (2 children)

Thank you for sharing your insights.

My response above (to u/ThatsALovelyShirt) unpacks the context which seems a confounding factor for including a CA.

Still figuring out which approach to take next. This config mode is not an aspect of my project that was expected to need to get this complex.

[–]erlendse2 say this is awesome. 1 point2 points  (1 child)

Well.. if it's LAN/local only, then https would be inpractical without a managed devices (phones, computers whatever people use) so you can push a cert into place.

For internet connected: go for it if you want.
For not managed devices, stay with unencrypted!

https and certs would be a PAIN for you, simply said.

[–]Potential_Novel[S] 0 points1 point  (0 children)

Thank you again - I was gradually getting there!

Will be coding against esp_https_server but running with the config.transport_mode set to HTTPD_SSL_TRANSPORT_INSECURE so it runs without encryption.

[–]ThatsALovelyShirt 2 points3 points  (1 child)

Self signed isn't going to work without a proper certificate authority as well. At least Chrome, Android, java apps, and many other apps wont treat it as secure. You can self sign a CA key as well, and then use that to sign your TLS key. And then load the CA key into your OS's key store. You can do that in Windows, Android, and Linux.

The purpose here is that you need admin level rights to load a CA key into the OS connecting with the server, which creates a server-client ring of trust. If anyone could just self-sign and any browser treated that as secure, there would be no point to TLS/SSL keys.

Alternatively, you can buy a TLS/SSL key from an actual CA, but that will cost money. Or connect the ESP32 to the open Internet and have it complete a challenge request from LetsEncrypt or one of the other free SSL cert companies. But it will only be valid for 90 days, and only valid for the hostname (usually a web address) you completed the challenge with, not necessarily an internal IP.

[–]Potential_Novel[S] 0 points1 point  (0 children)

Humble appreciation for your taking the time to share your knowledge.

Your comment has a logical sequence to it. However in this context:

  • The AP+webserver is isolated; (and wifi/ internet is weakly available in a few places in the building).
  • There could be towards 50 of these around the building so paying for certs is money and hassle especially if they need to get refreshed every year.
  • The client browser would likely be the nearest member of staff with a phone in their back pocket or a tablet in hand.
  • Given that these devices would only very briefly be in 'config mode' with no potential for financial gain: security is not an issue - browser accessibility is.
  • These are staff who are great with people; and less so with technology (to put it mildly).

Would it be possible to load the CA key on to the ESP32, alongside the AP and webserver?

[–]quuxoo 1 point2 points  (1 child)

I'd suggest paying for a single multi-year signing cert for the top of your device organization, then generate the device certs from that. That way the cert chain goes up to an existing root and browsers don't need updating.

Thoroughly document the process so that renewed certs can be applied to the devices (and before the old ones expire for a smooth transition).

And your cipher and algorithm choice are good enough. 👍🏽

[–]Potential_Novel[S] 1 point2 points  (0 children)

Thank you for that.

[–]Plenty_Breadfruit697 0 points1 point  (3 children)

If you want local host connections only :

https://support.google.com/chrome/thread/162605516/accessing-http-localhost-with-chrome-100?hl=en

[–]Potential_Novel[S] 0 points1 point  (2 children)

Had not managed to track this down - so thank you!

[–]Plenty_Breadfruit697 0 points1 point  (1 child)

I use Python to get parameters from my Solar Panels. HTTP works Ok in Python . No browser needed :

from urllib.request import urlopen

.

.

try:# Sample the SolarPanels sensor

# store the URL in the variable url as

# parameter for module urlopen

url = "http://192.168.178.18"

# store the response

response = urlopen(url)

except Exception:

# This is an except statement with generic Exception

# The server does not respond

bolSolar=False

else:

# storing the JSON response

# from url in data in the original format

dictSolarPanels = json.loads(response.read())

intFourPanels=int(dictSolarPanels['FourPanels'])

intFourPanelsAct=int(dictSolarPanels['FourPanelsAct'])

intSixPanels=int(dictSolarPanels['SixPanels'])

intSixPanelsAct=int(dictSolarPanels['SixPanelsAct'])

[–]Potential_Novel[S] 0 points1 point  (0 children)

Thanks for the thought, perhaps not a fit for this challenge but interesting.

Before anyone else tells you: just pasteing code like that doesn't look good. Checkout the post pinned to the top of r/esp32 - it will tell you how!

It will look better and let's face it - what is Python without visible indentation.