3

I'm looking for a way to get automatically a SHA-1 fingerprint of a certain website with my Arduino.

I'm using esp-8266 Arduino. I have a program that makes an API call every few seconds to a certain website from my Arduino. Because this website is using HTTPS I'm using the WiFiClientSecureBearSSL.h library.

In order to use this library, you must provide the fingerprint SHA-1, the problem is that I need every time the website changes their fingerprint to manually change it in my code.

Is there any way to get the fingerprint automatically?

Thanks

Shali
  • 41
  • 1
  • 5

1 Answers1

2

I have a similar problem. I don't want update over OTA my ESP everytime a SSL certificate changes.

But you are not alone and a lot of users want a solution. See https://esp32.com/viewtopic.php?t=8744

Some times, you can find the certificate or fingerprint directly on the webpage, like on https://letsencrypt.org/certificates/ Some times, you have to write a script to retrieve the certificate or fingerprint.

As written in the forum, my solution is not good (security reasons), but works:
1. Set an alternative webserver with http, when the certificate fails
2. Call a request to this server to ask a new certificate/fingerprint
3. Save the new fingerprint in your ESP

I made a simple page to retrieve the SSL from other webservers over PHP: https://projects.petrucci.ch/esp32/?page=ssl.php&url=https%3A%2F%2Fwww.stackoverflow.com

There is also a PHP code, so you can implement it on your webpage if you have a server with PHP. Just use this: openssl_x509_fingerprint($cert);

Hope to find a better solution one day (or maybe the ESP will automatically get the fingerprint in future, like every browser).

Adriano
  • 1,743
  • 15
  • 28
  • Awesome thanks for the detailed answer. I hope there will be one day a library that will do this for Arduino. – Shali Nov 13 '19 at 22:59