1. 简介
1.1 HTTPS
HTTPS(HyperText Transfer Protocol over Secure Socket Layer),全称安全套接字层超文本传输协议,一般理解为HTTP+SSL/TLS,通过SSL证书来验证服务器的身份,并为浏览器和服务器之间的通信进行加密。该协议使用443端口进行通信。
它解决的是HTTP协议明文传输的不安全性,HTTPS协议在数据进行传输之前,对数据进行加密,然后再发送到服务器。这样,就算数据被第三者所截获,但是由于数据是加密的,所以你的个人信息仍然是安全的。
1.2 SSL/TLS
SSL(Secure Socket Layer,安全套接字层):1994年为 Netscape 所研发,SSL 协议位于 TCP/IP 协议与各种应用层协议之间,为数据通讯提供安全支持。
TLS(Transport Layer Security,传输层安全):其前身是 SSL,它最初的几个版本(SSL 1.0、SSL 2.0、SSL 3.0)由网景公司开发,1999年从 3.1 开始被 IETF 标准化并改名,发展至今已经有 TLS 1.0、TLS 1.1、TLS 1.2 三个版本。SSL 3.0和TLS 1.0由于存在安全漏洞,已经很少被使用到。
1.3 通信流程
2. 例程
因为HTTPS相对于HTTP只是多了加密的过程,所以例程大体是沿用前一篇文章的代码,所以下面只会讲解加密部分的代码。
2.1 函数API
2.1.1 启动服务器
esp_err_t httpd_ssl_start(httpd_handle_t *handle, httpd_ssl_config_t *config)- handle:HTTPS句柄;
- config:服务器配置。
struct httpd_ssl_config {httpd_config_t httpd;const uint8_t *servercert;size_t servercert_len;const uint8_t *cacert_pem;size_t cacert_len;const uint8_t *prvtkey_pem;size_t prvtkey_len;bool use_ecdsa_peripheral;uint8_t ecdsa_key_efuse_blk;httpd_ssl_transport_mode_t transport_mode;uint16_t port_secure;uint16_t port_insecure;bool session_tickets;bool use_secure_element;esp_https_server_user_cb *user_cb;void *ssl_userdata;esp_tls_handshake_callback cert_select_cb;const char** alpn_protos;
};配置结构体的内容比较多,ESP-IDF也提供了HTTPD_SSL_CONFIG_DEFAULT宏进行快速默认配置,所以下面只解释一些常用的配置:
- servercert:服务器证书;
- servercert_len:服务器证书长度;
- cacert_pem:CA证书;
- cacert_len:CA证书长度;
- prvtkey_pem:私钥;
- prvtkey_len:私钥长度;
- port_secure:安全端口,即采用https访问时的端口,默认为443;
- port_insecure:非安全端口,即采用http访问时的端口,默认为80;
- user_cb:用户回调,主要用于客户端连接或断开时进行自定义处理;
2.2 代码
#include "freertos/FreeRTOS.h"#include "esp_system.h"
#include "esp_wifi.h"
#include "esp_event.h"
#include "esp_log.h"
#include "nvs_flash.h"
#include "sys/socket.h"
#include "lwip/err.h"
#include "lwip/sys.h"
#include "netdb.h"
#include "arpa/inet.h"
#include "esp_https_server.h"
#include "esp_tls.h"
#include "mbedtls/base64.h"#include <string.h>#define TAG "app"static httpd_handle_t server_handle;static const uint8_t servercert[] =
"-----BEGIN CERTIFICATE-----\n\
MIIDKzCCAhOgAwIBAgIUBxM3WJf2bP12kAfqhmhhjZWv0ukwDQYJKoZIhvcNAQEL\n\
BQAwJTEjMCEGA1UEAwwaRVNQMzIgSFRUUFMgc2VydmVyIGV4YW1wbGUwHhcNMTgx\n\
MDE3MTEzMjU3WhcNMjgxMDE0MTEzMjU3WjAlMSMwIQYDVQQDDBpFU1AzMiBIVFRQ\n\
UyBzZXJ2ZXIgZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n\
ALBint6nP77RCQcmKgwPtTsGK0uClxg+LwKJ3WXuye3oqnnjqJCwMEneXzGdG09T\n\
sA0SyNPwrEgebLCH80an3gWU4pHDdqGHfJQa2jBL290e/5L5MB+6PTs2NKcojK/k\n\
qcZkn58MWXhDW1NpAnJtjVniK2Ksvr/YIYSbyD+JiEs0MGxEx+kOl9d7hRHJaIzd\n\
GF/vO2pl295v1qXekAlkgNMtYIVAjUy9CMpqaQBCQRL+BmPSJRkXBsYk8GPnieS4\n\
sUsp53DsNvCCtWDT6fd9D1v+BB6nDk/FCPKhtjYOwOAZlX4wWNSZpRNr5dfrxKsb\n\
jAn4PCuR2akdF4G8WLUeDWECAwEAAaNTMFEwHQYDVR0OBBYEFMnmdJKOEepXrHI/\n\
ivM6mVqJgAX8MB8GA1UdIwQYMBaAFMnmdJKOEepXrHI/ivM6mVqJgAX8MA8GA1Ud\n\
EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADiXIGEkSsN0SLSfCF1VNWO3\n\
emBurfOcDq4EGEaxRKAU0814VEmU87btIDx80+z5Dbf+GGHCPrY7odIkxGNn0DJY\n\
W1WcF+DOcbiWoUN6DTkAML0SMnp8aGj9ffx3x+qoggT+vGdWVVA4pgwqZT7Ybntx\n\
bkzcNFW0sqmCv4IN1t4w6L0A87ZwsNwVpre/j6uyBw7s8YoJHDLRFT6g7qgn0tcN\n\
ZufhNISvgWCVJQy/SZjNBHSpnIdCUSJAeTY2mkM4sGxY0Widk8LnjydxZUSxC3Nl\n\
hb6pnMh3jRq4h0+5CZielA4/a+TdrNPv/qok67ot/XJdY3qHCCd8O2b14OVq9jo=\n\
-----END CERTIFICATE-----";static const uint8_t prvkey[] =
"-----BEGIN PRIVATE KEY-----\n\
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCwYp7epz++0QkH\n\
JioMD7U7BitLgpcYPi8Cid1l7snt6Kp546iQsDBJ3l8xnRtPU7ANEsjT8KxIHmyw\n\
h/NGp94FlOKRw3ahh3yUGtowS9vdHv+S+TAfuj07NjSnKIyv5KnGZJ+fDFl4Q1tT\n\
aQJybY1Z4itirL6/2CGEm8g/iYhLNDBsRMfpDpfXe4URyWiM3Rhf7ztqZdveb9al\n\
3pAJZIDTLWCFQI1MvQjKamkAQkES/gZj0iUZFwbGJPBj54nkuLFLKedw7DbwgrVg\n\
0+n3fQ9b/gQepw5PxQjyobY2DsDgGZV+MFjUmaUTa+XX68SrG4wJ+DwrkdmpHReB\n\
vFi1Hg1hAgMBAAECggEAaTCnZkl/7qBjLexIryC/CBBJyaJ70W1kQ7NMYfniWwui\n\
f0aRxJgOdD81rjTvkINsPp+xPRQO6oOadjzdjImYEuQTqrJTEUnntbu924eh+2D9\n\
Mf2CAanj0mglRnscS9mmljZ0KzoGMX6Z/EhnuS40WiJTlWlH6MlQU/FDnwC6U34y\n\
JKy6/jGryfsx+kGU/NRvKSru6JYJWt5v7sOrymHWD62IT59h3blOiP8GMtYKeQlX\n\
49om9Mo1VTIFASY3lrxmexbY+6FG8YO+tfIe0tTAiGrkb9Pz6tYbaj9FjEWOv4Vc\n\
+3VMBUVdGJjgqvE8fx+/+mHo4Rg69BUPfPSrpEg7sQKBgQDlL85G04VZgrNZgOx6\n\
pTlCCl/NkfNb1OYa0BELqWINoWaWQHnm6lX8YjrUjwRpBF5s7mFhguFjUjp/NW6D\n\
0EEg5BmO0ePJ3dLKSeOA7gMo7y7kAcD/YGToqAaGljkBI+IAWK5Su5yldrECTQKG\n\
YnMKyQ1MWUfCYEwHtPvFvE5aPwKBgQDFBWXekpxHIvt/B41Cl/TftAzE7/f58JjV\n\
MFo/JCh9TDcH6N5TMTRS1/iQrv5M6kJSSrHnq8pqDXOwfHLwxetpk9tr937VRzoL\n\
CuG1Ar7c1AO6ujNnAEmUVC2DppL/ck5mRPWK/kgLwZSaNcZf8sydRgphsW1ogJin\n\
7g0nGbFwXwKBgQCPoZY07Pr1TeP4g8OwWTu5F6dSvdU2CAbtZthH5q98u1n/cAj1\n\
noak1Srpa3foGMTUn9CHu+5kwHPIpUPNeAZZBpq91uxa5pnkDMp3UrLIRJ2uZyr8\n\
4PxcknEEh8DR5hsM/IbDcrCJQglM19ZtQeW3LKkY4BsIxjDf45ymH407IQKBgE/g\n\
Ul6cPfOxQRlNLH4VMVgInSyyxWx1mODFy7DRrgCuh5kTVh+QUVBM8x9lcwAn8V9/\n\
nQT55wR8E603pznqY/jX0xvAqZE6YVPcw4kpZcwNwL1RhEl8GliikBlRzUL3SsW3\n\
q30AfqEViHPE3XpE66PPo6Hb1ymJCVr77iUuC3wtAoGBAIBrOGunv1qZMfqmwAY2\n\
lxlzRgxgSiaev0lTNxDzZkmU/u3dgdTwJ5DDANqPwJc6b8SGYTp9rQ0mbgVHnhIB\n\
jcJQBQkTfq6Z0H6OoTVi7dPs3ibQJFrtkoyvYAbyk36quBmNRjVh6rc8468bhXYr\n\
v/t+MeGJP/0Zw8v/X2CFll96\n\
-----END PRIVATE KEY-----";static const char index_html[] = " \
<!DOCTYPE html> \
<html> \
<head> \
<meta charset=\"utf-8\"> \
<title>index</title> \
</head> \
\
<body> \<h1>Hello from ESP32</h1> \
</body> \<form action=\"/hello\" method=\"post\"> \<label for=\"name\">What's your name:</label> \<input type=\"text\" id=\"name\" name=\"name\" required> \<input type=\"submit\" value=\"OK\"></button> \</form> \
</html> \
";static const char hello_html_template[] = " \
<!DOCTYPE html> \
<html> \
<head> \
<meta charset=\"utf-8\"> \
<title>hello</title> \
</head> \
\
<body> \<h1>Oh, Hello %s</h1> \
</body> \
\
</html> \
";static esp_err_t index_get_handler(httpd_req_t *req)
{/* 获取Host信息 */size_t buf_len = httpd_req_get_hdr_value_len(req, "Host") + 1;if (buf_len > 1) {char *buf = malloc(buf_len);if (httpd_req_get_hdr_value_str(req, "Host", buf, buf_len) == ESP_OK) {ESP_LOGI(TAG, "Get request to host: %s", buf);}free(buf);}/* 回复数据包 */httpd_resp_sendstr(req, index_html);return ESP_OK;
}static const httpd_uri_t index_uri = {.uri = "/index",.method = HTTP_GET,.handler = index_get_handler,.user_ctx = NULL
};static esp_err_t hello_post_handler(httpd_req_t *req)
{/* 获取Host信息 */size_t buf_len = httpd_req_get_hdr_value_len(req, "Host") + 1;if (buf_len > 1) {char *buf = malloc(buf_len);if (httpd_req_get_hdr_value_str(req, "Host", buf, buf_len) == ESP_OK) {ESP_LOGI(TAG, "Post request to host: %s", buf);}free(buf);}/* 获取内容长度 */int len = 0;{char *buf = malloc(128);memset(buf, 0, 128);if (httpd_req_get_hdr_value_str(req, "Content-Length", buf, 128) != ESP_OK) {ESP_LOGE(TAG, "Get content length failed");return ESP_FAIL;}len = atoi(buf) + 1;free(buf);}/* 获取表单数据 */char *buf = malloc(len);memset(buf, 0, len);if (httpd_req_recv(req, buf, len) <= 0) {ESP_LOGE(TAG, "Receive request content failed");return ESP_FAIL;}if (strstr(buf, "name=") == NULL) {ESP_LOGE(TAG, "Can't found fleid \"name\"");free(buf);return ESP_FAIL;}/* 发送数据 */char *hello_html = malloc(1024);snprintf(hello_html, 1024, hello_html_template, buf + strlen("name="));httpd_resp_sendstr(req, hello_html);free(buf);free(hello_html);return ESP_OK;
}static const httpd_uri_t hello_uri = {.uri = "/hello",.method = HTTP_POST,.handler = hello_post_handler,.user_ctx = NULL
};static void print_peer_cert_info(const mbedtls_ssl_context *ssl)
{const mbedtls_x509_crt *cert;const size_t buf_size = 1024;char *buf = calloc(buf_size, sizeof(char));if (buf == NULL) {ESP_LOGE(TAG, "Out of memory - Callback execution failed!");return;}cert = mbedtls_ssl_get_peer_cert(ssl);if (cert != NULL) {mbedtls_x509_crt_info((char *) buf, buf_size - 1, " ", cert);ESP_LOGI(TAG, "Peer certificate info:\n%s", buf);} else {ESP_LOGW(TAG, "Could not obtain the peer certificate!");}free(buf);
}static void https_server_user_callback(esp_https_server_user_cb_arg_t *user_cb)
{mbedtls_ssl_context *ssl_ctx = NULL;switch(user_cb->user_cb_state) {case HTTPD_SSL_USER_CB_SESS_CREATE:int sockfd = -1;esp_err_t esp_ret;esp_ret = esp_tls_get_conn_sockfd(user_cb->tls, &sockfd);if (esp_ret != ESP_OK) {ESP_LOGE(TAG, "Error in obtaining the sockfd from tls context");break;}ESP_LOGI(TAG, "Socket FD: %d", sockfd);ssl_ctx = (mbedtls_ssl_context *) esp_tls_get_ssl_context(user_cb->tls);if (ssl_ctx == NULL) {ESP_LOGE(TAG, "Error in obtaining ssl context");break;}ESP_LOGI(TAG, "Current Ciphersuite: %s", mbedtls_ssl_get_ciphersuite(ssl_ctx));break;case HTTPD_SSL_USER_CB_SESS_CLOSE:ssl_ctx = (mbedtls_ssl_context *) esp_tls_get_ssl_context(user_cb->tls);if (ssl_ctx == NULL) {ESP_LOGE(TAG, "Error in obtaining ssl context");break;}print_peer_cert_info(ssl_ctx);break;default:break;}
}static void event_handler(void* arg,esp_event_base_t event_base,int32_t event_id,void* event_data)
{if (event_base == IP_EVENT) {if (event_id == IP_EVENT_STA_GOT_IP) {/* 配置 */httpd_ssl_config_t conf = HTTPD_SSL_CONFIG_DEFAULT();conf.servercert = servercert;conf.servercert_len = sizeof(servercert);conf.prvtkey_pem = prvkey;conf.prvtkey_len = sizeof(prvkey);conf.user_cb = https_server_user_callback;/* 启动服务器 */esp_err_t ret = httpd_ssl_start(&server_handle, &conf);if (ESP_OK != ret) {ESP_LOGI(TAG, "Error starting server!");return;}/* 注册URI */httpd_register_uri_handler(server_handle, &index_uri);httpd_register_uri_handler(server_handle, &hello_uri);ip_event_got_ip_t *data = event_data;ESP_LOGI(TAG, "HTTPS server started at https://" IPSTR "/index", IP2STR(&(data->ip_info.ip)));}} else if (event_base == WIFI_EVENT) {if (event_id == WIFI_EVENT_STA_DISCONNECTED) {static uint32_t retry = 1;ESP_LOGW(TAG, "Try reconnect WiFi, retry %lu", retry);vTaskDelay(500 / portTICK_PERIOD_MS);esp_wifi_connect();retry++;} else if (event_id == WIFI_EVENT_STA_START) {esp_wifi_connect();}}
}int app_main()
{/* 初始化NVS */esp_err_t ret = nvs_flash_init();if (ret == ESP_ERR_NVS_NO_FREE_PAGES || ret == ESP_ERR_NVS_NEW_VERSION_FOUND) {ESP_ERROR_CHECK(nvs_flash_erase());ESP_ERROR_CHECK(nvs_flash_init());}/* 初始化WiFi协议栈 */ESP_ERROR_CHECK(esp_netif_init());ESP_ERROR_CHECK(esp_event_loop_create_default());esp_netif_create_default_wifi_sta();wifi_init_config_t cfg = WIFI_INIT_CONFIG_DEFAULT();ESP_ERROR_CHECK(esp_wifi_init(&cfg));ESP_ERROR_CHECK(esp_event_handler_instance_register(WIFI_EVENT,ESP_EVENT_ANY_ID,&event_handler,NULL,NULL));ESP_ERROR_CHECK(esp_event_handler_instance_register(IP_EVENT,IP_EVENT_STA_GOT_IP,&event_handler,NULL,NULL));wifi_config_t wifi_config = {.sta = {.ssid = "Your SSID",.password = "Your Password",.threshold.authmode = WIFI_AUTH_WPA_WPA2_PSK,},};ESP_ERROR_CHECK(esp_wifi_set_mode(WIFI_MODE_STA));ESP_ERROR_CHECK(esp_wifi_set_config(WIFI_IF_STA, &wifi_config));ESP_ERROR_CHECK(esp_wifi_start());return 0;
}
https服务器需要配置自己的公钥和私钥,我这里使用的是官方例程给的,当然也可以自己生成;例程中也注册了用户回调,来演示如何获取客户端的套接字描述符和查看客户端的SSL验证信息。
调用httpd_ssl_start函数即可启动服务器,服务器启动后调用httpd_register_uri_handler函数注册URI服务,这里后面就跟上一篇文章的一样了。
网页的内容就跟之前的一样,在输入框中填写自己的名字,点击“OK”按钮就会跳转到另一个页面。
例程的log有时候会弹出0x7780错误,一般是由于没有设置CA证书导致,客户端或服务器认为对方不安全。