2

I need to develop secure web application for embedded device. I'm already using lwIP, it's internal HTTPD and mbed TLS in the device and I'm standing before question of rewriting lwIP's httpd.c for HTTPS support or using different HTTP server which already supports it (I haven't found any yet).

I suppose many people here have already dealt with this before (HTTPS server in embedded device), so I'd like to ask, if anyone could provide examples or description how he did it. I'm planning to rewrite TCP I/O functions in httpd.c to use mbed TLS functions, I'd like to know if this is good enough path to go, as I have not much experience with HTTPS.

Also if anybody from lwIP team reads this, I'd like to ask, whether you could add compile option, so we can use custom functions instead of tcp_write, tcp_poll, etc; so we don't have to change httpd.c file.

wildfireheart
  • 373
  • 2
  • 4
  • 13
  • Do you want to run an HTTPS server or an HTTPS client on the device? HTTPS client => https://os.mbed.com/teams/sandbox/code/mbed-http/, but I don't have anything for an HTTPS server. – Jan Jongboom Apr 06 '18 at 09:39
  • @JanJongboom HTTPS server. Basically these devices will be plugged into not-so-secure LAN an the web application is for changing device settings and viewing confidential data, so I think securing it against MITM attack is quite essential. – wildfireheart Apr 06 '18 at 10:10
  • You might be able to use the [ssl_server](https://github.com/ARMmbed/mbedtls/tree/development/programs/ssl) example from Mbed TLS, but it would require integrating it with Mbed OS. I'd suggest not to integrate directly with LwIP but rather build it on top of the Mbed OS NSAPI / NetworkInterface classes, to keep it portable. – Jan Jongboom Apr 06 '18 at 10:43
  • @JanJongboom Thanks for examples. They (or at least some of them) use only Mbed TLS, so I'll probably be able to insert this functionality between lwIP TCP layer and modified lwIP HTTPD. Hopefully that will solve my problem. – wildfireheart Apr 06 '18 at 11:02

0 Answers0