From adb267c092c7097e8d7182630368dffced55bdc8 Mon Sep 17 00:00:00 2001 From: tyeth Date: Fri, 16 Jan 2026 14:13:14 +0000 Subject: [PATCH 1/2] docs(ssl): Update TLS/SSL certificate fingerprint instructions --- src/AdafruitIO_Definitions.h | 5 ++++- src/wifi/AdafruitIO_ESP8266.h | 5 +++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/AdafruitIO_Definitions.h b/src/AdafruitIO_Definitions.h index 70080c8..405e494 100644 --- a/src/AdafruitIO_Definitions.h +++ b/src/AdafruitIO_Definitions.h @@ -115,7 +115,10 @@ class AdafruitIOGroupCallback { #define AIO_ERROR_TOPIC "/errors" ///< Adafruit IO Error MQTT Topic #define AIO_THROTTLE_TOPIC "/throttle" ///< Adafruit IO Throttle MQTT Topic -// latest fingerprint can be generated with +// io.adafruit.com TLS/SSL certificate changes every 6months, and pinning +// certificates is no longer recommended. Migrate to a larger MCU like esp32 +// which can accomodate root certificates and verify chains of trust. For +// older devices like esp8266 you can generate the latest fingerprint with: // echo | openssl s_client -connect io.adafruit.com:443 | openssl x509 // -fingerprint -noout #define AIO_SSL_FINGERPRINT \ diff --git a/src/wifi/AdafruitIO_ESP8266.h b/src/wifi/AdafruitIO_ESP8266.h index e4be20a..6efd330 100644 --- a/src/wifi/AdafruitIO_ESP8266.h +++ b/src/wifi/AdafruitIO_ESP8266.h @@ -25,12 +25,13 @@ /* NOTE - Projects that require "Secure MQTT" (TLS/SSL) also require a new * SSL certificate every year. If adding Secure MQTT to your ESP8266 project is * important - please switch to using the modern ESP32 (and related models) - * instead of the ESP8266 to avoid updating the SSL fingerprint every year. + * instead of the ESP8266 to avoid updating the SSL fingerprint every 6months. * * If you've read through this and still want to use "Secure MQTT" with your * ESP8266 project, we've left the "WiFiClientSecure" lines commented out. To * use them, uncomment the commented out lines within `AdafruitIO_ESP8266.h` and - * `AdafruitIO_ESP8266.cpp` and recompile the library. + * `AdafruitIO_ESP8266.cpp`, update fingerprint in `AdafruitIO_Definitions.h`, + * and then recompile the library. */ // #include "WiFiClientSecure.h" From 8e0bff5164bc9cff2debfc880470e5825b46078b Mon Sep 17 00:00:00 2001 From: Tyeth Gundry Date: Wed, 21 Jan 2026 13:54:38 +0000 Subject: [PATCH 2/2] docs(ssl): improve comment format for fingerprint updates --- src/AdafruitIO_Definitions.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/AdafruitIO_Definitions.h b/src/AdafruitIO_Definitions.h index 405e494..64bfbd0 100644 --- a/src/AdafruitIO_Definitions.h +++ b/src/AdafruitIO_Definitions.h @@ -115,12 +115,12 @@ class AdafruitIOGroupCallback { #define AIO_ERROR_TOPIC "/errors" ///< Adafruit IO Error MQTT Topic #define AIO_THROTTLE_TOPIC "/throttle" ///< Adafruit IO Throttle MQTT Topic -// io.adafruit.com TLS/SSL certificate changes every 6months, and pinning -// certificates is no longer recommended. Migrate to a larger MCU like esp32 -// which can accomodate root certificates and verify chains of trust. For -// older devices like esp8266 you can generate the latest fingerprint with: -// echo | openssl s_client -connect io.adafruit.com:443 | openssl x509 -// -fingerprint -noout +/* NB: io.adafruit.com TLS/SSL certificate changes every 6months, and pinning +certificates is no longer recommended. Migrate to a larger MCU like ESP32 +which can accomodate root certificates and verify chains of trust. */ +/* For older devices like ESP8266 you can generate the latest fingerprint with: +echo | openssl s_client -connect io.adafruit.com:443 | openssl x509 -fingerprint -noout +*/ #define AIO_SSL_FINGERPRINT \ "47 D2 CB 14 DF 38 97 59 C6 65 1A 1F 3E 00 1E 53 CC A5 17 E0" ///< Latest ///< Adafruit IO