I spent some time recently trying to get some ESP8266 devices to connect to AWS IOT. AWS IOT is really just an MQTT broker as a service. However, it has a big caveat for the ESP8266: it requires TLS 1.2.
However, things changed with the January 2018 release of the 2.4.0 Arduino SDK. It included a newer axtls library, which supports TLS 1.2! Thinking this was the ideal way to go, I did my best to make it work.
Starting from this sketch and using certificates created using the Amazon CA, I just could not get it to work. I ended up filing this issue, as no matter what I did, it would always complain the certificate was not yet valid. I tried building the axtls library manually with more debugging, etc, but never did figure it out.
So, since I couldn't get the certificates made by Amazon to work, I figured I probably didn't want to use theirs anyway. It'd be easier to setup my own CA and issue certificates from that. I was thinking I could use the just-in-time certificate registration. So, I went ahead and did that, and things got a little further. I could connect, but two things ultimately kept me from moving forward with it:
- The workflow in AWS is cumbersome. First, deploy each device with it's own cert from my CA. When device first connects to AWS, the certificate becomes pending and waits for a lambda function to come activate it, assign policies, and assign it to a thing. After that's done, then the device can connect.
- The initial handshake on the ESP8266 can take between 5 and 15 seconds. During which time, the device is unresponsive...to the point you'd need to disable the software and hardware watchdogs. For my use, this was unacceptable.
Ultimately, if I need to use AWS IoT from a ESP8266, I'll use the websockets approach. Its not ideal, but it works.