RNTLab.com

The Ultimate Shortcut to Learn Electronics and Programming with Open Source Hardware and Software

TLS 1.3 support

Q&A ForumCategory: ESP32TLS 1.3 support
0 Vote Up Vote Down
Lucio Bonandrini asked 6 months ago

Hello,
is there any way to connect with a tls1.3 endpoint with esp32 arduino IDE? I searched a lot but never found a definitive answer. Thanks!

Question Tags:
6 Answers
0 Vote Up Vote Down
Sara Santos Staff answered 6 months ago

Hi.
What endpoint are you referring to? Can you be a little more specific?
Regards,
Sara

0 Vote Up Vote Down
Lucio Bonandrini answered 6 months ago

Yes of course. I am referring to the tesla powerwall api endpoint, I wanted to create a mini display where I can see the % of battery charged. Am I missing something? Is TLS 1.3 already supported with esp32?
 

0 Vote Up Vote Down
Sara Santos Staff answered 6 months ago

Hi.
You can make HTTPS requests with the ESP32 using WiFiClient secure.
Here’s the example on the arduino-esp32 repository: https://github.com/espressif/arduino-esp32/blob/master/libraries/WiFiClientSecure/examples/WiFiClientSecure/WiFiClientSecure.ino
Regards,
Sara

0 Vote Up Vote Down
Lucio Bonandrini answered 6 months ago

Hi Sara,
I can indeed make requests, but it seems TLS 1.3 is not supported yet. I tried making a call to:

https://www.howsmyssl.com/a/check with the esp32. The result is:

{
"given_cipher_suites": [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CCM",
"TLS_DHE_RSA_WITH_AES_256_CCM",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",
"TLS_DHE_RSA_WITH_AES_256_CCM_8",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
"TLS_DHE_RSA_WITH_AES_128_CCM",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",
"TLS_DHE_RSA_WITH_AES_128_CCM_8",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_CCM",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_256_CCM_8",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CCM",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_128_CCM_8",
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
],
"ephemeral_keys_supported": true,
"session_ticket_supported": true,
"tls_compression_supported": false,
"unknown_cipher_suite_supported": false,
"beast_vuln": false,
"able_to_detect_n_minus_one_splitting": false,
"insecure_cipher_suites": {},
"tls_version": "TLS 1.2",
"rating": "Probably Okay"
}

If I try with Postman or a web browser from my PC, I get:

{
"given_cipher_suites": [
"TLS_GREASE_IS_THE_WORD_6A",
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA"
],
"ephemeral_keys_supported": true,
"session_ticket_supported": true,
"tls_compression_supported": false,
"unknown_cipher_suite_supported": false,
"beast_vuln": false,
"able_to_detect_n_minus_one_splitting": false,
"insecure_cipher_suites": {},
"tls_version": "TLS 1.3",
"rating": "Probably Okay"
}

As you can see I get TLS 1.3, while the ESP only gets 1.2.
Is it a hardware limitation or is just that there are no libraries yet for TLS 1.3? Unfortunately I have no control on what security protocol the server uses.

Thanks!

0 Vote Up Vote Down
Sara Santos Staff answered 6 months ago

Hi.
I think the libraries are not yet compatible.
I think there are some examples for espressif IDF already: https://www.esp32.com/viewtopic.php?f=10&t=24451

But, I also find this discussion: https://github.com/espressif/arduino-esp32/issues/6528 (not entirely sure what it means—I guess it means there isn’t a stable version for arduino yet).

Regards,
Sara

0 Vote Up Vote Down
Lucio Bonandrini answered 6 months ago

Ok, thank you very much Sara, I guess the only option is to wait.