mirror of
https://github.com/esp8266/Arduino.git
synced 2025-04-22 21:23:07 +03:00
bd1c7ce1dc
Adds SSL server mode for WiFiServerSecure, for plain SSL connections, ESP8266WebServerSecure, for HTTPS web serving, and SecureHTTPSUpdater for encrypted OTA updates. Example code is provided for all new options, as well as a BASH script for generating their own, self-signed certificates. Both ESP8266WebServerSecure and SecureHTTPSUpdater are important for secure password-based authentication. HTTP Basic Authentication, the only supported model presently, sends the username and password in *cleartext* and therefore should *never* be used in any un-SSL encrypted channel unless you don't mind sharing your login and password with anyone else on the internet. Even if the ESP8266 is not safety critical, this cleartext broadcast could expose you should you reuse this password elsewhere on your network or the internet.
50 lines
1.8 KiB
Bash
Executable File
50 lines
1.8 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# This script generates a self-signed certificate for use by the ESP8266
|
|
# Replace your-name-here with somethine appropriate before running and use
|
|
# the generated .H files in your code as follows:
|
|
#
|
|
# static const uint8_t rsakey[] ICACHE_RODATA_ATTR = {
|
|
# #include "key.h"
|
|
# };
|
|
#
|
|
# static const uint8_t x509[] ICACHE_RODATA_ATTR = {
|
|
# #include "x509.h"
|
|
# };
|
|
#
|
|
# ....
|
|
# WiFiServerSecure server(443);
|
|
# server.setServerKeyAndCert_P(rsakey, sizeof(rsakey), x509, sizeof(x509));
|
|
# ....
|
|
|
|
# 1024 or 512. 512 saves memory...
|
|
BITS=512
|
|
C=$PWD
|
|
pushd /tmp
|
|
|
|
openssl genrsa -out tls.ca_key.pem $BITS
|
|
openssl genrsa -out tls.key_$BITS.pem $BITS
|
|
openssl rsa -in tls.key_$BITS.pem -out tls.key_$BITS -outform DER
|
|
cat > certs.conf <<EOF
|
|
[ req ]
|
|
distinguished_name = req_distinguished_name
|
|
prompt = no
|
|
|
|
[ req_distinguished_name ]
|
|
O = your-name-here
|
|
CN = 127.0.0.1
|
|
EOF
|
|
openssl req -out tls.ca_x509.req -key tls.ca_key.pem -new -config certs.conf
|
|
openssl req -out tls.x509_$BITS.req -key tls.key_$BITS.pem -new -config certs.conf
|
|
openssl x509 -req -in tls.ca_x509.req -out tls.ca_x509.pem -sha256 -days 5000 -signkey tls.ca_key.pem
|
|
openssl x509 -req -in tls.x509_$BITS.req -out tls.x509_$BITS.pem -sha256 -CAcreateserial -days 5000 -CA tls.ca_x509.pem -CAkey tls.ca_key.pem
|
|
openssl x509 -in tls.ca_x509.pem -outform DER -out tls.ca_x509.cer
|
|
openssl x509 -in tls.x509_$BITS.pem -outform DER -out tls.x509_$BITS.cer
|
|
|
|
xxd -i tls.key_$BITS | sed 's/.*{//' | sed 's/\};//' | sed 's/unsigned.*//' > "$C/key.h"
|
|
xxd -i tls.x509_$BITS.cer | sed 's/.*{//' | sed 's/\};//' | sed 's/unsigned.*//' > "$C/x509.h"
|
|
|
|
rm -f tls.ca_key.pem tls.key_$BITS.pem tls.key_$BITS certs.conf tls.ca_x509.req tls.x509_$BITS.req tls.ca_x509.pem tls.x509_$BITS.pem tls.srl tls.x509_$BITS.cer tls.ca_x509.cer
|
|
|
|
popd
|