0

adafruitio_secure_esp8266 stumbling upon fingerprint verific
Moderators: adafruit_support_bill, adafruit

Please be positive and constructive with your questions and comments.

adafruitio_secure_esp8266 stumbling upon fingerprint verific

by csebe on Tue Dec 04, 2018 6:45 am

Hi all,

I have installed Adafruit MQTT library (0.20.3) in Arduino IDE (1.8.7) on Linux Ubuntu.
I try to run the adafruitio_secure_esp8266 example that comes with the library, on a WeMOS mini d1 (or clone of it, you can never know ;-).
It stumbles upon the fingerprint verification, throwing back in the serial console:

Connection insecure! Halting execution.


The example, comes with
Code: Select all | TOGGLE FULL SIZE
const char* fingerprint = "AD 4B 64 B3 67 40 B5 FC 0E 51 9B BD 25 E9 7F 88 B6 2A A3 5B";


in this blog: https://io.adafruit.com/blog/ and https://io.adafruit.com/blog/security/2 ... y-esp8266/ the fingerprint is:
Code: Select all | TOGGLE FULL SIZE
const char* fingerprint = "26 96 1C 2A 51 07 FD 15 80 96 93 AE F7 32 CE B9 0D 01 55 C4";


Tried with both, none work; it still shows "Connection insecure [...]" then wdt reset.

Can anyone confirm the SHA1 to be one of the above? Maybe it was changed since the blog post and/or example?

Thanks,
C.

csebe
 
Posts: 2
Joined: Tue Dec 04, 2018 6:15 am

Re: adafruitio_secure_esp8266 stumbling upon fingerprint ver

by csebe on Tue Dec 04, 2018 1:01 pm

OK, I am in the happy situation to solve it myself.
The actual fingerprint to use is different than in the example and in the blog, and it can be found by simply visiting
https://io.adafruit.com
with a regular browser, and inspecting the ssl server certificate sent by the server (click on the lock icon in the beginning of the browser's address line).
Look for the SHA1 fingerprint, but where exactly, depends on browser.

Right now (04 Dec 2018) it is:
77:00:54:2D:DA:E7:D8:03:27:31:23:99:EB:27:DB:CB:A5:4C:57:18
but given the fact the certificate will expire on 28th of July 2020, it will change by then.
(Btw: no need to replace ":" with space when copy/pasting it in the sketch).

Come to think of it, this is a bit of a snag, because it means that the thingy I am building will stop functioning when certificate will expire and be replaced with a new one.
I can see 3 options:
- give up the fingerprint verification on my side (which is a pity but seems the only sensible solution)
- implement some more code to extract the fingerprint from the ssl certificate each time (and exactly before) is trying to verify it. However, the purpose is defeated, because if the evil guys replace io.adafruit.com with their own server, then my thingy will not feel a thing.
- ask Adafruit to find a solution so that the fingerprint doesn't change so often, ie to use a certificate valid for ever (ok, 100 years). Not sure if possible (maybe only if self generating certificates, but this introduces some other problems).

I think the example that is delivered with the library should incorporate some of the above comments, to make it clear where to get the actual fingerprint from, and how it can affect the functionality.
And, btw, I had wifi connection issues, until I have added ESP8266WiFiMulti that looks somehow more reliable (at least on my hardware). I'd be happy to share the code if anyone could update the example.


Bests,
C.

csebe
 
Posts: 2
Joined: Tue Dec 04, 2018 6:15 am

Please be positive and constructive with your questions and comments.