- Tue Jan 17, 2017 3:58 pm
#61153
Is there a way to do an over the air update via SSL?
Moderator: igrr
- Wed Jan 18, 2017 11:49 am
#61193
The answer is yes. You just need to include a fingerprint in the call (https://github.com/esp8266/Arduino/blob/master/libraries/ESP8266httpUpdate/src/ESP8266httpUpdate.h#L78). But if your webserver does/can not modify TLS fragment sizes it will likely crash. See Igrr's response below:
Do you control the server which is serving OTA updates? Can you possibly enable TLS fragment size negotiation extension on the server side? Your code is crashing because it is running out of RAM. Sadly axTLS is not robust enough to bail out gracefully in oom condition. Reducing TLS fragment size can help reduce RAM requirements significantly.[/quotientSecure.
I know that nginx has an option to enable fragment length negotiation, known as ssl_buffer_size:
http://nginx.org/en/docs/http/ngx_http_ ... uffer_size
So if Tomcat doesn't support this TLS extension, you may set up an nginx proxy to do TLS termination and forward requests to your Tomcat server.
Default TLS buffer size is 16K bytes, so it does eat up considerable chunk of RAM on the ESP8266, and combined with handshake data this leaves next to nothing for the rest of the application.
On the ESP8266 core side of things, we have a patch to support fragment length negotiation as well (https://github.com/igrr/axtls-8266/comm ... 66678c5808), but it is not integrated into the Arduino core yet. I'll try to find some time to expose fragment length negotiation to WiFiClientSecure.
