[mqtt] Remove broken ESP8266 ssl_fingerprints option (#14182)

2026-02-27 17:34:22 -07:00 · 2026-02-21 11:12:35 -06:00
parent 7fb09da7cf
commit 416b97311b
8 changed files with 2 additions and 95 deletions
--- a/esphome/main.py
+++ b/esphome/main.py
@@ -944,12 +944,6 @@ def command_clean_all(args: ArgsProtocol) -> int | None:
    return 0


-def command_mqtt_fingerprint(args: ArgsProtocol, config: ConfigType) -> int | None:
-    from esphome import mqtt
-
-    return mqtt.get_fingerprint(config)
-
-
 def command_version(args: ArgsProtocol) -> int | None:
    safe_print(f"Version: {const.__version__}")
    return 0
@@ -1237,7 +1231,6 @@ POST_CONFIG_ACTIONS = {
    "run": command_run,
    "clean": command_clean,
    "clean-mqtt": command_clean_mqtt,
-    "mqtt-fingerprint": command_mqtt_fingerprint,
    "idedata": command_idedata,
    "rename": command_rename,
    "discover": command_discover,
@@ -1451,13 +1444,6 @@ def parse_args(argv):
    )
    parser_wizard.add_argument("configuration", help="Your YAML configuration file.")

-    parser_fingerprint = subparsers.add_parser(
-        "mqtt-fingerprint", help="Get the SSL fingerprint from a MQTT broker."
-    )
-    parser_fingerprint.add_argument(
-        "configuration", help="Your YAML configuration file(s).", nargs="+"
-    )
-
    subparsers.add_parser("version", help="Print the ESPHome version and exit.")

    parser_clean = subparsers.add_parser(
--- a/esphome/components/mqtt/init.py
+++ b/esphome/components/mqtt/init.py
@@ -1,5 +1,3 @@
-import re
-
 from esphome import automation
 from esphome.automation import Condition
 import esphome.codegen as cg
@@ -46,7 +44,6 @@ from esphome.const import (
    CONF_RETAIN,
    CONF_SHUTDOWN_MESSAGE,
    CONF_SKIP_CERT_CN_CHECK,
-    CONF_SSL_FINGERPRINTS,
    CONF_STATE_TOPIC,
    CONF_SUBSCRIBE_QOS,
    CONF_TOPIC,
@@ -221,13 +218,6 @@ def validate_config(value):
    return out


-def validate_fingerprint(value):
-    value = cv.string(value)
-    if re.match(r"^[0-9a-f]{40}$", value) is None:
-        raise cv.Invalid("fingerprint must be valid SHA1 hash")
-    return value
-
-
 def _consume_mqtt_sockets(config: ConfigType) -> ConfigType:
    """Register socket needs for MQTT component."""
    # MQTT needs 1 socket for the broker connection
@@ -291,9 +281,6 @@ CONFIG_SCHEMA = cv.All(
                ),
                validate_message_just_topic,
            ),
-            cv.Optional(CONF_SSL_FINGERPRINTS): cv.All(
-                cv.only_on_esp8266, cv.ensure_list(validate_fingerprint)
-            ),
            cv.Optional(CONF_KEEPALIVE, default="15s"): cv.positive_time_period_seconds,
            cv.Optional(
                CONF_REBOOT_TIMEOUT, default="15min"
@@ -444,14 +431,6 @@ async def to_code(config):
        if CONF_LEVEL in log_topic:
            cg.add(var.set_log_level(logger.LOG_LEVELS[log_topic[CONF_LEVEL]]))

-    if CONF_SSL_FINGERPRINTS in config:
-        for fingerprint in config[CONF_SSL_FINGERPRINTS]:
-            arr = [
-                cg.RawExpression(f"0x{fingerprint[i : i + 2]}") for i in range(0, 40, 2)
-            ]
-            cg.add(var.add_ssl_fingerprint(arr))
-        cg.add_build_flag("-DASYNC_TCP_SSL_ENABLED=1")
-
    cg.add(var.set_keep_alive(config[CONF_KEEPALIVE]))

    cg.add(var.set_reboot_timeout(config[CONF_REBOOT_TIMEOUT]))
--- a/esphome/components/mqtt/mqtt_backend_esp8266.h
+++ b/esphome/components/mqtt/mqtt_backend_esp8266.h
@@ -21,11 +21,6 @@ class MQTTBackendESP8266 final : public MQTTBackend {
  }
  void set_server(network::IPAddress ip, uint16_t port) final { mqtt_client_.setServer(ip, port); }
  void set_server(const char *host, uint16_t port) final { mqtt_client_.setServer(host, port); }
-#if ASYNC_TCP_SSL_ENABLED
-  void set_secure(bool secure) { mqtt_client.setSecure(secure); }
-  void add_server_fingerprint(const uint8_t *fingerprint) { mqtt_client.addServerFingerprint(fingerprint); }
-#endif
-
  void set_on_connect(std::function<on_connect_callback_t> &&callback) final {
    this->mqtt_client_.onConnect(std::move(callback));
  }
--- a/esphome/components/mqtt/mqtt_backend_libretiny.h
+++ b/esphome/components/mqtt/mqtt_backend_libretiny.h
@@ -21,11 +21,6 @@ class MQTTBackendLibreTiny final : public MQTTBackend {
  }
  void set_server(network::IPAddress ip, uint16_t port) final { mqtt_client_.setServer(IPAddress(ip), port); }
  void set_server(const char *host, uint16_t port) final { mqtt_client_.setServer(host, port); }
-#if ASYNC_TCP_SSL_ENABLED
-  void set_secure(bool secure) { mqtt_client.setSecure(secure); }
-  void add_server_fingerprint(const uint8_t *fingerprint) { mqtt_client.addServerFingerprint(fingerprint); }
-#endif
-
  void set_on_connect(std::function<on_connect_callback_t> &&callback) final {
    this->mqtt_client_.onConnect(std::move(callback));
  }
--- a/esphome/components/mqtt/mqtt_client.cpp
+++ b/esphome/components/mqtt/mqtt_client.cpp
@@ -749,13 +749,6 @@ void MQTTClientComponent::set_on_disconnect(mqtt_on_disconnect_callback_t &&call
  this->on_disconnect_.add(std::move(callback_copy));
 }

-#if ASYNC_TCP_SSL_ENABLED
-void MQTTClientComponent::add_ssl_fingerprint(const std::array<uint8_t, SHA1_SIZE> &fingerprint) {
-  this->mqtt_backend_.setSecure(true);
-  this->mqtt_backend_.addServerFingerprint(fingerprint.data());
-}
-#endif
-
 MQTTClientComponent *global_mqtt_client = nullptr;  // NOLINT(cppcoreguidelines-avoid-non-const-global-variables)

 // MQTTMessageTrigger
--- a/esphome/components/mqtt/mqtt_client.h
+++ b/esphome/components/mqtt/mqtt_client.h
@@ -137,21 +137,6 @@ class MQTTClientComponent : public Component {
  bool is_discovery_enabled() const;
  bool is_discovery_ip_enabled() const;

-#if ASYNC_TCP_SSL_ENABLED
-  /** Add a SSL fingerprint to use for TCP SSL connections to the MQTT broker.
-   *
-   * To use this feature you first have to globally enable the `ASYNC_TCP_SSL_ENABLED` define flag.
-   * This function can be called multiple times and any certificate that matches any of the provided fingerprints
-   * will match. Calling this method will also automatically disable all non-ssl connections.
-   *
-   * @warning This is *not* secure and *not* how SSL is usually done. You'll have to add
-   *          a separate fingerprint for every certificate you use. Additionally, the hashing
-   *          algorithm used here due to the constraints of the MCU, SHA1, is known to be insecure.
-   *
-   * @param fingerprint The SSL fingerprint as a 20 value long std::array.
-   */
-  void add_ssl_fingerprint(const std::array<uint8_t, SHA1_SIZE> &fingerprint);
-#endif
 #ifdef USE_ESP32
  void set_ca_certificate(const char *cert) { this->mqtt_backend_.set_ca_certificate(cert); }
  void set_cl_certificate(const char *cert) { this->mqtt_backend_.set_cl_certificate(cert); }
--- a/esphome/const.py
+++ b/esphome/const.py
@@ -943,7 +943,6 @@ CONF_SPI = "spi"
 CONF_SPI_ID = "spi_id"
 CONF_SPIKE_REJECTION = "spike_rejection"
 CONF_SSID = "ssid"
-CONF_SSL_FINGERPRINTS = "ssl_fingerprints"
 CONF_STARTUP_DELAY = "startup_delay"
 CONF_STATE = "state"
 CONF_STATE_CLASS = "state_class"
--- a/esphome/mqtt.py
+++ b/esphome/mqtt.py
@@ -1,6 +1,5 @@
 import contextlib
 from datetime import datetime
-import hashlib
 import json
 import logging
 import ssl
@@ -22,14 +21,12 @@ from esphome.const import (
    CONF_PASSWORD,
    CONF_PORT,
    CONF_SKIP_CERT_CN_CHECK,
-    CONF_SSL_FINGERPRINTS,
    CONF_TOPIC,
    CONF_TOPIC_PREFIX,
    CONF_USERNAME,
 )
-from esphome.core import CORE, EsphomeError
+from esphome.core import EsphomeError
 from esphome.helpers import get_int_env, get_str_env
-from esphome.log import AnsiFore, color
 from esphome.types import ConfigType
 from esphome.util import safe_print

@@ -102,9 +99,7 @@ def prepare(
    elif username:
        client.username_pw_set(username, password)

-    if config[CONF_MQTT].get(CONF_SSL_FINGERPRINTS) or config[CONF_MQTT].get(
-        CONF_CERTIFICATE_AUTHORITY
-    ):
+    if config[CONF_MQTT].get(CONF_CERTIFICATE_AUTHORITY):
        context = ssl.create_default_context(
            cadata=config[CONF_MQTT].get(CONF_CERTIFICATE_AUTHORITY)
        )
@@ -283,23 +278,3 @@ def clear_topic(config, topic, username=None, password=None, client_id=None):
        client.publish(msg.topic, None, retain=True)

    return initialize(config, [topic], on_message, None, username, password, client_id)
-
-
-# From marvinroger/async-mqtt-client -> scripts/get-fingerprint/get-fingerprint.py
-def get_fingerprint(config):
-    addr = str(config[CONF_MQTT][CONF_BROKER]), int(config[CONF_MQTT][CONF_PORT])
-    _LOGGER.info("Getting fingerprint from %s:%s", addr[0], addr[1])
-    try:
-        cert_pem = ssl.get_server_certificate(addr)
-    except OSError as err:
-        _LOGGER.error("Unable to connect to server: %s", err)
-        return 1
-    cert_der = ssl.PEM_cert_to_DER_cert(cert_pem)
-
-    sha1 = hashlib.sha1(cert_der).hexdigest()
-
-    safe_print(f"SHA1 Fingerprint: {color(AnsiFore.CYAN, sha1)}")
-    safe_print(
-        f"Copy the string above into mqtt.ssl_fingerprints section of {CORE.config_path}"
-    )
-    return 0