Announcement

Collapse
No announcement yet.

SSL support needed

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • SSL support needed

    Hi, my PHPoC black just arrived today (Yippee!).
    I have used some hours to test and play with it and so far I am very happy.

    I want to use SSL/TLS to connect to my mosquitto broker.
    I have found the MQTT example code here but I can't see anywhere how to provide the client certificate for the secure connection.
    I believe that the certificate needs to be provided to the actual TCP connection but I still can't figure it out.
    Can someone please provide some guidance?

    Thanks in advance.

  • #2
    Dear gjt211,

    Thank you for using PHPoC!

    SSL/TLS client certificates need to be upload to PHPoC Black via PHPoC Debugger.

    Please refer to this instruction to upload certificates to PHPoC.

    If you have any further question, please feel free to comment here.

    Comment


    • #3
      Additionally, PHPoC Black has the default certificates. If you do NOT use mutual authentication, you can uses SSL/TLS without uploading new certificates.

      Comment


      • #4
        Thanks support , that is great news, and thanks for the quick reply.
        I am only starting and there is a lot to learn right now.
        I do use client certificates so without the certificate in the PHPoC, it will never be able to connect. I normally enable a non-SSL/TLS port on my server when testing to make sure I can connect and my project works ok, only after that success I move it over to secure.

        Once I have some free time I will start to try this out and report my experiences back here for others as a reference.

        Comment


        • support
          support commented
          Editing a comment
          Thank you in advance for sharing the experience!

      • #5
        Wow, that was really easy!

        Added the MQTT support files, copied over the subscriber example, put in my MQTT server settings, uploaded, run, it works!!!
        Next, upload the certificate (signed certificate from authorities) for my secure connection as per support link to the instructions. The only thing the instructions didn't say was that it needed the RSA key which is a separate file, so I actually had to select two files (certificate and key) but it was automatic, I selected the certificate and clicked ok, then it asked me to select the RSA key file so not at all difficult.
        Then I changed from the non ssl demo to the ssl demo with once again updating the settings to suit my server. Uploaded, clicked on run and away it went, working well.

        I am really impressed, it has been a long time since I found something this quick and easy. I was actually smiling when this worked first go.

        So now I have a new question....
        Is there a way to change the certificate files not using the PHPoC Debugger? I want to be able to download and update certificates as or when they change on the server.


        Comment


        • support
          support commented
          Editing a comment
          It's great to hear that.

          Because of security reason, we designed to changing certificates and firmware via USB cable only (using PHPoC Debugger). There is no another way.
          It's worth to note that. PHPoC Debugger can connect to PHPoC remotely via TCP/IP network. When connecting via TCP network, some functionalitis (uploading firmware, creating & saving a certification and creating & changing a password) are disabled for security reason.

      • #6
        I would like to request if there could be some way around this limitation. Our products are located anywhere in the world, and for a commercial product we can't ask customers to return the sensor back to us just to update the certificate.

        As you know, SSL certificates expire, and the root chain of trust also expires (usually several years rather than several months to one year).

        For our company, not being able to update certificates remotely would be a project killer, we would have to stay with our existing products.
        Please allow the ability to update/add/remove certificates remotely if at all possible.

        Comment


        • support
          support commented
          Editing a comment
          Regarding your inquiry, our research team will discuss it in the next meeting. We will inform you about the result as soon as possible.

        • gjt211
          gjt211 commented
          Editing a comment
          Thank you for considering our request, it would be great to work with PHPoC. I happily wait your response from your meeting.

      • #7
        Dear gjt211,

        I was confused.
        It not only can upload certificates via USB cable but also can upload certificates remotely via Internet by using PHPoC debugger, called Secure Remote Debugger.
        Certificates will be uploaded securely via TLS.

        Remote Debugger is disabled by default. You need to enable it first via USB cables. Please refer to the following steps:
        • Enable Remote Debugger
        • Click image for larger version  Name:	enable_remote_secure_debugger.PNG Views:	1 Size:	45.0 KB ID:	1427
        • Set Device Password
        • Click image for larger version  Name:	change_password.PNG Views:	1 Size:	48.9 KB ID:	1428
        And now you can connect Debugger securely via Internet.
        Click image for larger version  Name:	connect_via_network.PNG Views:	2 Size:	28.8 KB ID:	1430

        Note that if you only enable "Remote Debugger" without enabling "Secure Remote Debugger", you can NOT upload certificates.

        Please tell us whether this function meats your requirement or not!
        Last edited by support; 01-14-2019, 12:57 PM.

        Comment


        • #8
          Hi, thank you for the update and information. I understand and unfortunately I don't think the proposed solution will not meet our requirements.
          Imagine if we had thousands of PHPoC devices all over the world, the time required to manually update each one is not suitable. Also there may be various network restrictions preventing remote access (I have not yet looked into how the PHPoC Secure Remote Debugger works, but will do so soon).
          I am quite certain we would require the PHPoC device itself to obtain the new certificate without intervention on our part.

          Comment


          • support
            support commented
            Editing a comment
            Hello @gjt211,
            We will discuss this again in the next meeting and inform you as soon as possible.

          • support
            support commented
            Editing a comment
            By the way, as you know, it takes time and effort to add a new function. We would like to ask you how many units are you potentially interested to order?

          • gjt211
            gjt211 commented
            Editing a comment
            Hi Support, thanks as always for your ongoing help.
            Initially we would order 20, then most likely once the trial is successful we would order in lots of 100. At this time I can't say how frequently we would place an order.

        • #9
          Dear gjt211,
          We are sorry for the late reply.
          After researching, we are glad to inform you that we will add auto-update-certificate feature to PHPoC.
          However, we cannot say the time we release it now.
          We will inform you when we have the specific plan.

          Comment

          Working...
          X