Comments on example code at https://github.com/asksensors/AskSensors-ESP8266-DHT

Post Reply
dheydeck
Noob
Posts: 1
Joined: Wed Jan 23, 2019 3:59 pm

Comments on example code at https://github.com/asksensors/AskSensors-ESP8266-DHT

Post by dheydeck » Wed Jan 23, 2019 4:30 pm

Hello- just a couple of comments on the example code at https://github.com/asksensors/AskSensors-ESP8266-DHT.
I had a little trouble getting the client connection to https://asksensors.com: this failed continuously. After doing a little Googling, I found that the the sample code didn't cope with the way in which WiFiClientSecure dealt with TLS connections. To get my connection working, I added the following at the beginning of the void setup() code:

Code: Select all

  // Set Client to insecure
  client.setInsecure();
This stops WiFiClientSecure from verifying the certificate on establishment of the TLS session so, in theory, you could be connecting to a malicious site.
However, if you do want to validate the certificate of the site that you are connecting to, rather than using the code above, try the following, again in the void setup() code:

Code: Select all

  // Set target certificate fingerprint
  client.setFingerprint(https_fingerprint);
There is, however, a caveat to this- the https_fingerprint provided in the sample code is no longer valid: you will need to get the current value from https://asksensors.com. There is a further caveat- the certificate is currently issued by Let's Encrypt and these have a limited lifespan, so if AskSensors continue to use Let's Encrypt as their CA, your code will need to be updated on a regular basis- that is, if you want to verify the certificate. I won't make a recommendation, but for myself, I'll use "client.setInsecure()" for convenience and for the time being.
Also of interest, the following commented code in the sample won't work when uncommented as the logic is superseded by the use of "setFingerprint()":

Code: Select all

//   ignore certificate verification 
/*  if (client.verify(https_fingerprint, https_host)) {
    Serial.println("-> certificate matches");
  } else {
    Serial.println("-> certificate doesn't match");
  }
*/  
Please excuse any errors in formatting, coding conventions and so on. Corrections welcome.

Guru
Pro
Posts: 33
Joined: Tue Dec 18, 2018 11:36 pm
Contact:

Re: Comments on example code at https://github.com/asksensors/AskSensors-ESP8266-DHT

Post by Guru » Wed Jan 23, 2019 9:37 pm

Hello,
Thank you for the comments.
Indeed, you are right. The changes of the AskSensors certificate causes the issue you described. This is why we have suggested (month ago) to users to use the http library instead of the https (the http demo code is also provided, in the same github project).
https://github.com/asksensors/AskSensor ... tp_get.ino

I like your suggestion of client.setInsecure() ;-)

Post Reply