TLS Security¶
Why TLS Matters for Industrial IoT¶
Energy monitoring data is sensitive — it reveals facility operational patterns, occupancy, and equipment usage. Transmitting this data unencrypted over MQTT (port 1883) exposes it to:
- Network sniffing on local Wi-Fi
- Man-in-the-middle attacks on internet paths
- Credential interception (MQTT username/password)
TLS encryption (MQTT over port 8883) protects data in transit and authenticates the broker.
TLS Modes¶
| Mode | Security Level | Use Case |
|---|---|---|
| Fingerprint validation | Medium | Home/Small office — validates broker certificate fingerprint |
| CA certificate validation | High | Enterprise/AWS IoT/Azure IoT Hub — validates full certificate chain |
Trade-offs¶
| Aspect | Fingerprint | CA Certificate |
|---|---|---|
| Setup complexity | Simple | Moderate |
| Broker cert renewal | Must update fingerprint | Automatic |
| Memory usage | Low | Higher (~20KB) |
| Man-in-the-middle | Protected (if fingerprint matches) | Fully protected |
| ESP32-C3 compatible | Yes | Yes |
Obtaining TLS Certificates¶
Option 1: Extract Fingerprint from Broker¶
openssl s_client -connect broker.example.com:8883 < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout
Output: sha256 Fingerprint=AA:BB:CC:DD:...
Option 2: Extract from Browser¶
- Open
https://broker.example.com:8883in browser - Click the lock icon → Certificate → Details
- Copy the SHA-256 fingerprint
Option 3: Let's Encrypt (Recommended)¶
Use a broker with a Let's Encrypt certificate for automatic renewal.
Configuring TLS Fingerprint¶
Step 1: Set MQTT Port to 8883¶
Via web UI → Configuration → Configure MQTT → Port: 8883
Step 2: Set TLS Fingerprint¶
Via Tasmota console:
MqttFingerprint1 AA:BB:CC:DD:EE:FF:00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33:44:55:66:77:88:99
Step 3: Auto-Learn Mode (Alternative)¶
If you don't have the fingerprint handy, enable auto-learn:
The device will learn the broker's fingerprint on first successful TLS connection. Verify the learned fingerprint matches your broker before trusting it.
Step 4: Verify TLS Connection¶
Check console logs for:
Test port connectivity:
Configuring CA Certificate Validation¶
For enterprise deployments using AWS IoT, Azure IoT Hub, or private CA:
Compile flag: #define USE_MQTT_TLS_CA_CERT
This stores the full CA certificate chain in firmware. Contact RACKSYNC for custom firmware builds with your CA certificate.
Troubleshooting TLS¶
Fingerprint Mismatch After Certificate Renewal¶
If the broker's certificate was renewed (e.g., Let's Encrypt every 90 days):
- Extract the new fingerprint
- Update via console:
MqttFingerprint1 <new-fingerprint> - Restart MQTT:
Restart 1
Prevention: Use CA certificate validation instead of fingerprint.
Memory Errors on ESP32-C3¶
TLS requires additional RAM. If memory errors appear:
- Reduce
TelePeriod(less frequent = less memory pressure) - Disable unused Tasmota features
- Consider fingerprint mode instead of CA validation
Port Blocked¶
Verify port 8883 is open:
Certificate Expiry¶
Check certificate expiry:
openssl s_client -connect broker.example.com:8883 < /dev/null 2>/dev/null | openssl x509 -noout -dates
Device Security Best Practices¶
| Practice | How |
|---|---|
| Change default MQTT credentials | Configure unique username/password |
| Change meter password (1000) | Setup menu → Password |
| Disable open AP after setup | AP mode only on first boot or factory reset |
| Enable web UI password | Web UI → Configuration → Configure Web Admin |
| Use HTTPS for OTA | Only HTTPS URLs for firmware updates |
| Keep firmware updated | Regularly check for RACKSYNC firmware updates |
Network Security Recommendations¶
| Recommendation | Details |
|---|---|
| IoT VLAN | Place energy monitors on a separate VLAN |
| Firewall rules | Allow outbound 8883 to MQTT broker only |
| RS485 physical security | Limit physical access to meter and RS485 bus |
| Wi-Fi security | Use WPA3 or WPA2-Enterprise |