ESP8266 ssl/tls/https client test

So the mighty EPS8266 supports connecting to https servers, but I have found the documentation lacking (Maybe I have been looking in the wrong place!?)

I’m particularly interested in what protocol and ciphers are supported. A quick hack of the example script: https://github.com/esp8266/Arduino/blob/master/libraries/ESP8266WiFi/examples/HTTPSRequest/HTTPSRequest.ino

To point to www.howsmyssl.com’s api has been helpful, here’s this script:

/*
 *  HTTP over TLS (HTTPS) example sketch
 *
 *  This example demonstrates how to use
 *  WiFiClientSecure class to access HTTPS API.
 *  We fetch and display the status of
 *  esp8266/Arduino project continuous integration
 *  build.
 *
 *  Created by Ivan Grokhotkov, 2015.
 *  This example is in public domain.
 */

#include <ESP8266WiFi.h>
#include <WiFiClientSecure.h>

const char* ssid = ".......";
const char* password = ".......";

const char* host = "www.howsmyssl.com";
const int httpsPort = 443;

// Use web browser to view and copy
// SHA1 fingerprint of the certificate
const char* fingerprint = "83 FE 78 E2 42 46 E2 DF 91 0D 84 50 D9 3D 63 BB 8D FB 92 3F";

void setup() {
  Serial.begin(115200);
  Serial.println();
  Serial.print("connecting to ");
  Serial.println(ssid);
  WiFi.begin(ssid, password);
  while (WiFi.status() != WL_CONNECTED) {
    delay(500);
    Serial.print(".");
  }
  Serial.println("");
  Serial.println("WiFi connected");
  Serial.println("IP address: ");
  Serial.println(WiFi.localIP());

  // Use WiFiClientSecure class to create TLS connection
  WiFiClientSecure client;
  Serial.print("connecting to ");
  Serial.println(host);
  if (!client.connect(host, httpsPort)) {
    Serial.println("connection failed");
    return;
  }

  if (client.verify(fingerprint, host)) {
    Serial.println("certificate matches");
  } else {
    Serial.println("certificate doesn't match");
  }

  String url = "/a/check";
  Serial.print("requesting URL: ");
  Serial.println(url);

  client.print(String("GET ") + url + " HTTP/1.1\r\n" +
               "Host: " + host + "\r\n" +
               "User-Agent: ESP8266\r\n" +
               "Connection: close\r\n\r\n");

  Serial.println("request sent");
  while (client.connected()) {
    String line = client.readStringUntil('\n');
    if (line == "\r") {
      Serial.println("headers received");
      break;
    }
  }
  String line = client.readStringUntil('\n');
  Serial.println("reply was:");
  Serial.println("==========");
  Serial.println(line);
  Serial.println("==========");
  Serial.println("closing connection");
}

void loop() {
}

The serial output is below:

connecting to xxxxxx
...
WiFi connected
IP address: 
192.168.1.41
connecting to www.howsmyssl.com
certificate matches
requesting URL: /a/check
request sent
headers received
reply was:
==========
{"given_cipher_suites" ["TLS_RSA_WITH_AES_128_CBC_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA"],
"ephemeral_keys_supported":false,
"session_ticket_supported":false,
"tls_compression_supported":false,
"unknown_cipher_suite_supported":false,
"beast_vuln":false,
"able_to_detect_n_minus_one_splitting":false,
"insecure_cipher_suites":{},
"tls_version":"TLS 1.2",
"rating":"Improvable"}
==========
closing connection

I’m not anywhere near an expert, but it’s a pretty good response and support. Lack of ephemeral key support means all EDH and ECDH ciphers are out (as also shown in the list of ciphers), thus no perfect forward secrecy. Having said that the ciphers supported are considered secure.

All in all a successful test IMO.

1 Like