Switching from SSL/TLS to mTLS

mzincali
Posts: 46
Joined: Wed Jun 08, 2022 7:23 am

Switching from SSL/TLS to mTLS

Postby mzincali » Mon May 01, 2023 8:19 pm

Hi. I am just starting to research what it would take to have my ESP32 program which uses WiFiClientSecure, to use mTLS instead. I'm not sure where to start. I looked at https://docs.espressif.com/projects/esp ... p_tls.html, but that looks like what is supporting WiFiClientSecure, if I am not mistaken. What more do I need to move to mTLS?

Thank you.

a2800276
Posts: 78
Joined: Sat Jan 23, 2016 1:59 pm

Re: Switching from SSL/TLS to mTLS

Postby a2800276 » Tue May 02, 2023 11:08 am

What's your motivation to use mTLS?

WifiClientSecure is an Arduino library that is intended to be easy to use. mTLS is a low level implementation. To answer "what more do you need to do?" it would be necessary to know what you are trying to do. If you want to make https calls for example, you can just use the http_client component which will automatically use tls if provided with https urls.

mzincali
Posts: 46
Joined: Wed Jun 08, 2022 7:23 am

Re: Switching from SSL/TLS to mTLS

Postby mzincali » Tue May 02, 2023 9:24 pm

Thank you. I'm currently using WifiSecure and:

Code: Select all

  WiFiClientSecure* client = new WiFiClientSecure;
  if (client) {
    client->setCACert(rootCACertificate);
    HTTPClient https;

    if (https.begin(*client, checkinURL)) {
        int httpCode = https.GET();
I was told that the back-end needs to use mTLS: "I can do some research on how we can get mTLS working, mostly how to issue the certificates. You should familiarize yourself with the HTTP client you're using, make sure it supports mTLS in the first place."

Thus I need to know if I have to do anything different in order to support using the new certificates, etc.

-mz

a2800276
Posts: 78
Joined: Sat Jan 23, 2016 1:59 pm

Re: Switching from SSL/TLS to mTLS

Postby a2800276 » Thu May 04, 2023 10:48 am

I'm afraid I misunderstood your question... I thought you wanted to use the mbedTLS low(er) level TLS library, but now I believe you meant you want to use mutual TLS, i.e. client certificate authentication. A typical browser TLS connection only the server is authenticated with a certificate. It's not uncommon for non-interative sessions to also authenticate the client with a certificate. "tls client authenticate" or "tls client certificate" will probably get you better search results than "mTLS" ...

I can't answer the question for arduino, but if you are using the IDF, it's fairly straightforward. Both the http client library and the mqtt library support this more or less out of the box. The hard part is setting up the infrastructure to sign certificates and getting them onto the device securely.

mzincali
Posts: 46
Joined: Wed Jun 08, 2022 7:23 am

Re: Switching from SSL/TLS to mTLS

Postby mzincali » Fri May 05, 2023 11:04 am

I can build the certificate into the devices with the risk that an attacker with a device can extract the private key. Given the low value of the exploit, I doubt anyone will really waste time trying to take over some sensor devices.

On the other end I have a server that accepts input from the devices, and there I would prefer to be able to filter out any access that isn't my devices.

Another idea would be to have each device have a unique certificate, and in the case of one private key getting extracted, I could revoke that certificate, I assume.

If anyone has any good advice on how best to prevent the server from handling calls from any but my devices, I'd appreciate it. Yes, I realize that there are still other ways to impact me with DDoS.

Who is online

Users browsing this forum: No registered users and 80 guests