During the development of this system it became soon obvious that security would be a paramount aspect of the system. For that reason we looked at adding transport layer security (TLS) encryption. This would use the integrated axTLS encryption library in the Sming framework together with AES certificates (host and client) to provide both verification that the host (servers) and clients (nodes) are who they say they are, but also provide a secure encrypted link.

In Chapter 5, Example - Soil Humidity Monitor with Wi-Fi, we already looked at the handling of these client certificates and setting up of an encrypted MQTT connection. One detail which is not obvious from that were the troubles which we encountered while setting up this certificate system. As mentioned in Chapter 5, Example - Soil Humidity Monitor with Wi-Fi, the ESP8266 does not have enough memory to allocate the default TLS handshake buffers and requires the use of the SSL fragment size extension on the side of the server (host).

Unfortunately we found that the commonly used MQTT broker we were using (Mosquitto) did not support this SSL extension and would therefore require that clients used the default double 16 kB buffer. The first solution to this would be to recompile the Mosquitto broker after making a few changes to its source code to change this setting.

The better solution and the one which we ultimately implemented was to install a proxy software (HAProxy) which functioned as the TLS endpoint, handling the certificates and redirecting the decrypted traffic to the MQTT broker via the local loopback (localhost) interface.

With the SSL fragment size option set to 1-2 kB everything worked as intended and we had a building-wide, wireless monitoring and control system that allowed for secure communications of sensitive information and delicate control commands.