MQTT rewrite with SSL fixes (see also: #1751)

code/espurna/config/dependencies.h

@@ -5,6 +5,11 @@
 // Configuration settings are in the general.h file
 //------------------------------------------------------------------------------
 
+#if defined(ASYNC_TCP_SSL_ENABLED) && SECURE_CLIENT == SECURE_CLIENT_NONE
+#undef SECURE_CLIENT
+#define SECURE_CLIENT SECURE_CLIENT_AXTLS
+#endif
+
 #if DEBUG_TELNET_SUPPORT
 #undef TELNET_SUPPORT
 #define TELNET_SUPPORT 1
@@ -55,10 +60,10 @@
 #define MQTT_SUPPORT 1 // If Home Assistant enabled enable MQTT
 #endif
 
-#ifndef ASYNC_TCP_SSL_ENABLED
+#if SECURE_CLIENT != SECURE_CLIENT_AXTLS
 #if THINGSPEAK_USE_SSL && THINGSPEAK_USE_ASYNC
 #undef THINGSPEAK_SUPPORT 
-#define THINGSPEAK_SUPPORT 0 // Thingspeak in ASYNC mode requires ASYNC_TCP_SSL_ENABLED
+#define THINGSPEAK_SUPPORT 0 // Thingspeak in ASYNC mode requires SECURE_CLIENT_AXTLS
 #endif
 #endif
 

code/espurna/config/general.h

@@ -567,7 +567,7 @@
 #endif
 
 // This is not working at the moment!!
-// Requires ASYNC_TCP_SSL_ENABLED to 1 and ESP8266 Arduino Core 2.4.0
+// Requires SECURE_CLIENT = SECURE_CLIENT_AXTLS and ESP8266 Arduino Core 2.4.0
 #ifndef WEB_SSL_ENABLED
 #define WEB_SSL_ENABLED 0 // Use HTTPS web interface
 #endif
@@ -839,26 +839,28 @@
 #endif
 
 
-#ifndef MQTT_USE_ASYNC
-#define MQTT_USE_ASYNC 1   // Use AysncMQTTClient (1) or PubSubClient (0)
+#ifndef MQTT_LIBRARY
+#define MQTT_LIBRARY  MQTT_ASYNC // Choose between: MQTT_ASYNC (AysncMQTTClient), MQTT_PUBSUB (PubSubClient), MQTT_ARDUINO (Arduino-MQTT)
 #endif
 
 // MQTT OVER SSL
 // Using MQTT over SSL works pretty well but generates problems with the web interface.
 // It could be a good idea to use it in conjuntion with WEB_SUPPORT=0.
-// Requires ASYNC_TCP_SSL_ENABLED to 1 and ESP8266 Arduino Core 2.4.0.
+// Requires SECURE_CLIENT = SECURE_CLIENT_AXTLS or SECURE_CLIENT_BEARSSL and ESP8266 Arduino Core >= 2.4.0.
 //
-// You can use SSL with MQTT_USE_ASYNC=1 (AsyncMqttClient library)
+// You can use SSL with MQTT_LIBRARY=ASYNC (AsyncMqttClient library)
 // but you might experience hiccups on the web interface, so my recommendation is:
 // WEB_SUPPORT=0
 //
-// If you use SSL with MQTT_USE_ASYNC=0 (PubSubClient library)
+// If you use SSL with MQTT_LIBRARY=PUBSUB (PubSubClient library) or MQTT_LIBRARY=ARDUINO (Arduino-MQTT library)
 // you will have to disable all the modules that use ESPAsyncTCP, that is:
-// ALEXA_SUPPORT=0, INFLUXDB_SUPPORT=0, TELNET_SUPPORT=0, THINGSPEAK_SUPPORT=0 and WEB_SUPPORT=0
+// ALEXA_SUPPORT=0, INFLUXDB_SUPPORT=0, TELNET_SUPPORT=0, THINGSPEAK_SUPPORT=0, DEBUG_TELNET_SUPPORT=0 and WEB_SUPPORT=0
 //
-// You will need the fingerprint for your MQTT server, example for CloudMQTT:
-// $ echo -n | openssl s_client -connect m11.cloudmqtt.com:24055 > cloudmqtt.pem
-// $ openssl x509 -noout -in cloudmqtt.pem -fingerprint -sha1
+// You will need the fingerprint of your MQTT server, in order to prevent MITS attacks.
+// To get a certificate fingerprint, run the following command:
+// $ echo -n | openssl s_client -connect mqtt.googleapis.com:8883 2>&1 | openssl x509 -noout -fingerprint -sha1 | cut -d\= -f2
+// Note that this fingerprint changes with e.g. LetsEncrypt renewals or when the CSR changes.
+// It's also possible to leave the fingerprint empty, the certificate is then always trusted.
 
 #ifndef MQTT_SSL_ENABLED
 #define MQTT_SSL_ENABLED 0 // By default MQTT over SSL will not be enabled
@@ -868,6 +870,20 @@
 #define MQTT_SSL_FINGERPRINT "" // SSL fingerprint of the server
 #endif
 
+#ifndef MQTT_SECURE_CLIENT_CHECK
+#define MQTT_SECURE_CLIENT_CHECK SECURE_CLIENT_CHECK // Use global verification setting by default
+#endif
+
+#ifndef MQTT_SECURE_CLIENT_MFLN
+#define MQTT_SECURE_CLIENT_MFLN SECURE_CLIENT_MFLN // Use global MFLN setting by default 
+#endif
+
+#ifndef MQTT_SECURE_CLIENT_INCLUDE_CA
+#define MQTT_SECURE_CLIENT_INCLUDE_CA 0 // Use user-provided CA. Only PROGMEM PEM option is supported.
+ // When enabled, current implementation includes "static/mqtt_secure_client_ca.h" with
+ // const char _mqtt_client_ca[] PROGMEM = "...PEM data...";
+ // By default, using LetsEncrypt X3 root in "static/letsencrypt_isrgroot_pem.h"
+#endif
 
 #ifndef MQTT_ENABLED
 #define MQTT_ENABLED 0 // Do not enable MQTT connection by default
@@ -986,7 +1002,9 @@
 #define MQTT_TOPIC_DATETIME "datetime"
 #define MQTT_TOPIC_FREEHEAP "freeheap"
 #define MQTT_TOPIC_VCC "vcc"
+#ifndef MQTT_TOPIC_STATUS
 #define MQTT_TOPIC_STATUS "status"
+#endif
 #define MQTT_TOPIC_MAC "mac"
 #define MQTT_TOPIC_RSSI "rssi"
 #define MQTT_TOPIC_MESSAGE_ID "id"
@@ -1031,7 +1049,9 @@
 
 
 #define MQTT_STATUS_ONLINE "1" // Value for the device ON message
+#ifndef MQTT_STATUS_OFFLINE
 #define MQTT_STATUS_OFFLINE "0" // Value for the device OFF message (will)
+#endif
 
 #define MQTT_ACTION_RESET "reboot" // RESET MQTT topic particle
 
@@ -1283,7 +1303,7 @@
 // THINGSPEAK OVER SSL
 // Using THINGSPEAK over SSL works well but generates problems with the web interface,
 // so you should compile it with WEB_SUPPORT to 0.
-// When THINGSPEAK_USE_ASYNC is 1, requires ASYNC_TCP_SSL_ENABLED to 1 and ESP8266 Arduino Core 2.4.0.
+// When THINGSPEAK_USE_ASYNC is 1, requires SECURE_CLIENT = SECURE_CLIENT_AXTLS and ESP8266 Arduino Core >= 2.4.0.
 #define THINGSPEAK_USE_SSL 0 // Use secure connection
 
 #define THINGSPEAK_FINGERPRINT "78 60 18 44 81 35 BF DF 77 84 D4 0A 22 0D 9B 4E 6C DC 57 2C"

code/espurna/config/prototypes.h

@@ -171,6 +171,13 @@ void i2c_read_buffer(uint8_t address, uint8_t * buffer, size_t len);
  #define mqtt_callback_f void *
 #endif
 
+#if MQTT_SECURE_CLIENT_INCLUDE_CA
+#include "static/mqtt_secure_client_ca.h" // Assumes this header file defines a _mqtt_client_ca[] PROGMEM = "...PEM data..."
+#else
+#include "static/letsencrypt_isrgroot_pem.h" // Default to LetsEncrypt X3 certificate
+#define _mqtt_client_ca _ssl_letsencrypt_isrg_x3_ca
+#endif // MQTT_SECURE_CLIENT_INCLUDE_CA
+
 // -----------------------------------------------------------------------------
 // OTA
 // -----------------------------------------------------------------------------

code/espurna/config/types.h

@@ -152,6 +152,11 @@
 #define MQTT_DISCONNECT_EVENT 1
 #define MQTT_MESSAGE_EVENT 2
 
+#define MQTT_ASYNC 0
+#define MQTT_ARDUINO 1
+#define MQTT_PUBSUB 2
+
+
 //------------------------------------------------------------------------------
 // LED
 //------------------------------------------------------------------------------
@@ -353,6 +358,7 @@
 //------------------------------------------------------------------------------
 // Telnet server
 //------------------------------------------------------------------------------
+
 #define TELNET_SERVER_ASYNC 0
 #define TELNET_SERVER_WIFISERVER 1