ESP32/ESP8266 with HTTPS and SSL/TLS Encryption: Basic Concepts

Table of Contents

ESP32 ESP8266 NodeMCU HTTPS and SSL TLS Encryption Basic Concepts

Throughout this short article, we’ll cover the following subjects:

HTTPS is the safe variation of the HTTP method, therefore the “S”, which stands for safe. Extremely briefly:

What is HTTPS? 

In recap, here’s just how it functions:

How the communication in between the server and also client works over HTTPS?

HTTP vs HTTPS requests protocol

For an ESP8266 HTTPS web server, you can take an appearance at an example making use of the ESP8266WebServer collection on the adhering to link:

Why do you need HTTPS?

In this tutorial, we’ve taken a look at the HTTPS method, SSL/TLS security, and SSL certifications.

  • Privacy: no one can spy on your requests and passwords because the messages are encrypted.
  • Integrity: the message is not manipulated on its way to its destination (prevents men-in-the-middle) attacks.
  • Identification: when using HTTPS, via SSL certificates, you ensure you are connected to the server you would expect.

What is SSL/TLS?

Table of Contents

How does SSL/TLS encryption work?

Throughout this short article, we’ll cover the following subjects:

HTTPS is the safe and secure variation of the HTTP method, therefore the “S”, which stands for protected.

Using HTTPS makes sure the following:

Symmetric key encryption How does SSL TLS encryption work

SSL stands for Secure Socket Layer and TLS stands for Transport Layer Security. Very briefly:

In recap, right here’s exactly how it functions:

How the interaction in between the server as well as customer functions over HTTPS?

Asymmetric Key Encryption SSL TLS encryption

If you’re using the WiFiClient library, you simply require to make the complying with changes:

  • You have two asymmetric keys: a public key and a private key.
  • The public key and private key work together.
  • The public key, as the name suggests, is visible to anyone.
  • Only the private key can decrypt the message encrypted with the corresponding public key.

Public Key and Private Key

With this, you ensure that your interaction is encrypted utilizing TLS.

  • The browser client tries to contact the server.
  • The server sends the public key to the client (browser) via the server’s SSL certificate.
  • The browser sends a message to the server encrypted with the public key.
  • Only the ones with the private key (the server) can decipher the message.

Communication over HTTPS

For an ESP8266 HTTPS internet server, you can take a look at an instance making use of the ESP8266WebServer library on the adhering to web link:

HTTPS communication with SSL certificate
  • You, the client on your browser, try to connect with the server (1);
  • The server sends back its certificate (2) so that the browser can check the authenticity of the server (3). The certificate contains the public key.
  • If the certificate is valid, the client creates a new key (called session key) (4) that will be used later to encrypt communication between the client and server.
  • The client encrypts the session key using the public key sent by the server (5).
  • The server receives the session key encrypted with the public key and can decipher the message because only the server has access to the corresponding private key to decrypt the message (6);
  • From now on, both the client and server have a secret key (that’s only known to them) that they can use to encrypt further communication (7) (symmetric key encryption).

SSL Certificates

In this tutorial, we’ve taken an appearance at the HTTPS procedure, SSL/TLS security, as well as SSL certifications.

When a Certificate Authority issues a certificate, it signs the certificate with its root certificate. This root certificate should be on the database of trusted certificates.

SSL Certificates Client Server interaction

Your browser then checks if the certificate is valid (if it was signed with a root certificate on the database of trusted root certificates) and displays a green lock icon on the browser bar if it is.

Self-signed Certificates

You can self-sign your certificates. These provide the same level of encryption as one generated by an authority, and these are free. However, all browsers will check if the certificate is issued by a trusted Certificate Authority. So, you’ll be warned by your browser that the site you’re visiting is not safe because it doesn’t trust the certificate and so, can’t identify its owner.

Self-signed certificates web browser

The web browser will display a warning sign and the HTTPS letters in red. This means the website has a certificate, but the certificate is unverified (like self-signed certificates) or out of date. This means that the connection between you and the server is encrypted, but no one can guarantee that the domain really belongs to the company indicated on the site. 

Self-signed certificates are fine to use on your DIY and IoT projects, intranets, like your local network, or inside a company’s network. However, if you’re creating a project for a company that will be accessed by clients outside the company network, like a public website, it’s best to use a certificate from a Certificate Authority.

SSL certificates have an expiry date. So, if you’re using an ESP32 to connect to a website via HTTPS, you should keep in mind that you’ll need to update the code with the new website’s certificate in the future.

If you’re still confused about all of these new terms, we recommend taking a look at the following website that explains in a fun way how everything works:

ESP32: HTTPS Requests (Arduino IDE)

If you’re familiar with HTTP requests with the ESP32 “migrating” to HTTPS is very straightforward.

ESP32 HTTPS Requests Arduino IDE secure connection client server SSL certificate

If you’re using the WiFiClient library, you just need to make the following changes:

  1. Use WiFiClientSecure.h library instead of WiFiClient.h
  2. Use port 443 instead of port 80
  3. Change the host URL to https instead of http

With this, you ensure that your communication is encrypted using TLS.

An additional security step is to check the server certificate (the certificate of the website you want to connect to). You can skip this step while testing and prototyping. The communication will be encrypted, but you won’t be sure of the integrity of the server you are trying to communicate with.

You can also find examples using HTTPS with the HTTPClient library.

If you want to start working on your HTTPS requests right away, take a look at the examples provided in the ESP32 package for the Arduino core.

  • WiFiClientSecure example: File > Examples > ESP32 > WFiClientSecure >
  • HTTPClient with HTTPS example: File > Examples > ESP32 > BasicHttpsClient >

ESP32 HTTPS Server (Arduino IDE)

ESP32 HTTPS Requests Arduino IDE secure connection client server SSL certificate

At the moment, there are not many examples of building an HTTPS web server with the ESP32 using the Arduino core. Unfortunately, the AsyncWebServer library that we use in most of our projects, doesn’t fully support HTTPS at the moment.

Nevertheless, there is another library that provides easy methods to build an ESP32 HTTPS web server, including an example that generates certificates on the fly. Here’s a link to the library: .

If you’re familiar with ESP-IDF, you can take a look at the documentation on the following link:

ESP8266 HTTPS Requests (Arduino IDE)

ESP8266 NodeMCU HTTPS Requests Arduino IDE secure connection client server SSL certificate

There are several examples that show how to make HTTPS requests with the ESP8266. You can check the examples available in your Arduino IDE. Make sure you have the latest version of the ESP8266 boards installed to make sure you have access to the latest version of the examples and that these will work.

To update the ESP8266 boards’ installation, you just need to go to Tools > Boards > Boards Manager, search for ESP8266, and install the latest version.

Then, you’ll have access to the examples’ latest version. You can check the following examples:

  • Basic HTTPS Client using the ESP8266HTTPClient library: File > Examples > ESP8266HTTPClient >
  • Basic HTTPS Client using WiFiClientSecure library: File > Examples > ESP8266WiFi >

You’ll need to update the certificates and fingerprints to make the examples work. If you can’t make the examples work, don’t worry, we’ll publish some tutorials with examples and instructions soon.

ESP8266 HTTPS Server (Arduino IDE)

ESP8266 NodeMCU Server HTTPS Requests Arduino IDE secure connection client server SSL certificate

The ESP8266 is not optimized for SSL cryptography, so running an HTTPS Server on the ESP8266 is very demanding. You need to set the clock frequency to 160MHz and even so, you might get unexpected resets on the board.

For an ESP8266 HTTPS web server, you can take a look at an example using the ESP8266WebServer library on the following link:

Wrapping Up

In this tutorial, we’ve taken a look at the HTTPS protocol, SSL/TLS encryption, and SSL certificates. I’m far from being an expert in these subjects, so if anything doesn’t sound right in this article, please let me know in the comments below.

We’ve also taken a quick look at possible ways to secure your ESP32/ESP8266 IoT projects: how to make HTTPS requests and how to set the ESP32/ESP8266 as an HTTPS server with a certificate. We’ll create more tutorials with practical examples about these subjects in the upcoming weeks, so stay tuned.

If you have any examples of HTTPS servers with the ESP32 or are familiar with any other libraries to build an HTTPS server, please share them in the comments below.

Thanks for reading.