Hi,
I've just tested the OTA example via https and it works flawless. The problem is, that anybody can simply download the firmware file (bin file) from the server and flash it to another device, how do I prevent this from happening? What is the recommended way to do this?
Thanks
OTA: prevent stealing the firmware
Re: OTA: prevent stealing the firmware
I've just realized that I simply can turn on basic http authentication on the server side and set the authentication in the esp_http_client_config_t:
Code: Select all
esp_http_client_config_t config = {
.url = "someurl",
.cert_pem = (char *)server_cert_pem_start,
.timeout_ms = 5000,
.username = "myuser",
.password = "mypassword",
.auth_type = HTTP_AUTH_TYPE_BASIC
};
Re: OTA: prevent stealing the firmware
If you wish to prevent the firmware file from being downloaded from your HTTPS server, then you could add client authentication to your devices. This means that only an HTTP client with correct authentication is granted access to the file.
I know of two authentication mechanisms that the ESP IDF HTTP client supports. Firstly the good old HTTP authentication in basic or digest variant (just make sure you use HTTPS, not HTTP for basic auth):
https://docs.espressif.com/projects/esp ... entication
The advantage is that it's quite simple to do on both device and server side. The password could be shared between all your devices, or you could issue and send temporary passwords in whatever OTA command you send to the device. I just love that the HTTP client accepts a URL with a user name and password embedded into it (i.e. https://user:pass@server.com) - this really simplifies the job of issuing OTA commands with single-use logins.
Secondly you can do it with HTTPS certificates, i.e. mutual TLS. I don't know of a simple getting started guide existing, but the HTTP client does support it.
https://docs.espressif.com/projects/esp ... t_config_t
The advantage is that you can use the full power of the x509 certificate chain to verify the client as well as the server using trusted CA-s. But the custom PKI is a bit of work, though.
I know of two authentication mechanisms that the ESP IDF HTTP client supports. Firstly the good old HTTP authentication in basic or digest variant (just make sure you use HTTPS, not HTTP for basic auth):
https://docs.espressif.com/projects/esp ... entication
The advantage is that it's quite simple to do on both device and server side. The password could be shared between all your devices, or you could issue and send temporary passwords in whatever OTA command you send to the device. I just love that the HTTP client accepts a URL with a user name and password embedded into it (i.e. https://user:pass@server.com) - this really simplifies the job of issuing OTA commands with single-use logins.
Secondly you can do it with HTTPS certificates, i.e. mutual TLS. I don't know of a simple getting started guide existing, but the HTTP client does support it.
https://docs.espressif.com/projects/esp ... t_config_t
The advantage is that you can use the full power of the x509 certificate chain to verify the client as well as the server using trusted CA-s. But the custom PKI is a bit of work, though.
Who is online
Users browsing this forum: No registered users and 216 guests