Where to get ESP8266 tls finger print?

[dzungpv]

I am testing TLS for ESP32 and ESP8266, but how can get ESP8266 fingerprint? Because ESP32 use root ca cert and I have successful running it. Why no include function to convert fingerprint from root ca cert so both platform using the same API?
Update: seem ESP8266 not support tls, in the example you are using 1883 port https://github.com/bertmelis/espMqttClient/blob/246e56df06e39fbf9f246ff0591d8111fc29b644/examples/tls-esp8266/tls-esp8266.ino#L10C9-L10C18

[bertmelis]

There's a script to get the fingerprint here: https://github.com/bertmelis/espMqttClient/blob/main/scripts/get-fingerprint.py
The example indeed has port 1883 specified which should be 8883.

The API depends on the underlying WiFiclientSecure libraries which are different for esp32 and esp8266.

[dzungpv]

I tested ESP8266 tls with Arduino on Mac but it failed, so I am not using TLS for ESP8266 yet.

[bertmelis]

Unless you give us some more info we cannot help. "It doesn't work" is not enough.

[dzungpv]

It is work now after I fully make your lib compatible with ESP IDF.

[Pablo2048]

@dzungpv you can use certificates in ESP8266. This is ho I'm doing it:

#if defined(ESP8266)
            mpRootCert = new BearSSL::X509List(ca);
            mpClientCert = new BearSSL::X509List(pem);
            mpClientKey = new BearSSL::PrivateKey(key);
            mMqttClient.setTrustAnchors(mpRootCert);
            mMqttClient.setClientRSACert(mpClientCert, mpClientKey);
            mMqttClient.setBuffers(2048, 2048);
#endif

.setBuffers is my addition (and would be in my PR after testing) to @bertmelis code to allow to set tx and rx SSL buffer size in BearSSL to lower the memory consumption.
Remember - you need ESP8266 RTC to be synced (NTP), because ESP8266 BearSSL is compiled with time checking of certificate validity.

[dzungpv]

But use the pem and key my cause security consent, because hacker can decode your firmware.
I am not use BearSSL in the past, but can it work with only?

mMqttClient.setTrustAnchors(mpRootCert);

[Pablo2048]

The code fragment from me came from my AWS IoT library, where client is identified to the broker by its certificate and key, so setTrustAnchor would be enough in case you are using common user name and password for MQTT. Hacker can decode your login name and password the same way as client certificate and key - if you want more security, don't use ESP8266.

[dzungpv]

Yes, ESP8266 is just for some of my spare time project. I use ESP32 ECO3 with flash encryption and secure boot enable for other projects. I will try your suggestion with the setTrustAnchor