8000
Skip to content

TLS fix ECDSA and add 'SetOption165 1' to enable ECDSA in addition to RSA #24000

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
s-hadinger merged 1 commit into from
Oct 11, 2025
Merged

TLS fix ECDSA and add 'SetOption165 1' to enable ECDSA in addition to RSA #24000

s-hadinger merged 1 commit into from
Oct 11, 2025

Conversation

@s-hadinger
Copy link
Collaborator
@s-hadinger s-hadinger commented Oct 11, 2025

Description:

Multiple fixes to TLS ECDSA:

  • ECDSA is enabled for EC certificates which is now the default in letsencrypt. However the current implementation was failing with error 49 - now fixed.
  • ECDSA is disabled by default to avoid regression with fingerprint validation, since fingerprints are different from RSA to ECDSA certificates, and it's the server that decides which certificate to use if both are present. See TLS disable ECDSA for MQTT to ensure we don't break fingerprints after #22649 #22656
  • SetOption165 1 enables ECDSA in addition to RSA. SetOption165 1 is automatically done if a TLS error 296 (incorrect cipher) is detected, to ensure smooth compatibility with letsencrypt. When using letsencrypt/EC, the first connection (RSA only) will fail, then SetOption165 1 is enabled and the second connection succeeds.
  • Added logs to indicate which cipher is used, Example:
MQT: TLS cipher suite: ECDHE_RSA_AES_128_GCM_SHA256

Note: ECDSA is not enabled on ESP8266 (yet, maybe next to come)

Checklist:

  • The pull request is done against the latest development branch
  • Only relevant files were touched
  • Only one feature/fix was added per PR and the code change compiles without warnings
  • The code change is tested and works with Tasmota core ESP8266 V.2.7.8
  • The code change is tested and works with Tasmota core ESP32 V.3.1.4
  • I accept the CLA.

NOTE: The code change must pass CI tests. Your PR cannot be merged unless tests pass

@s-hadinger s-hadinger merged commit f6a488a into arendst:development Oct 11, 2025
103 of 128 checks passed
sfromis added a commit to sfromis/Tasmota that referenced this pull request Oct 24, 2025
@sfromis
Update decode-status.py, SetOption165 text for TLS ECDSA validation
0a6b25c 
SetOption165 was missing explanation text, copied from arendst#24000 update of
https://github.com/arendst/Tasmota/blob/development/tasmota/include/tasmota_types.h#L202
@sfromis sfromis mentioned this pull request Oct 24, 2025
Merged
6 tasks
arendst pushed a commit that referenced this pull request Oct 24, 2025
@sfromis
Update decode-status.py, SetOption165 text for TLS ECDSA validation (#…
5b64b0d 
…24051)

SetOption165 was missing explanation text, copied from #24000 update of
https://github.com/arendst/Tasmota/blob/development/tasmota/include/tasmota_types.h#L202
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@s-hadinger
0