• State Verified Answer
  • Replies 5 replies
  • Subscribers 66 subscribers
  • Views 450 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 326865
Options

TLS ERROR MQTT - Error in mqtt_connect: -111

tsotnek

Hello, 

I am trying to connect to the MQTT broker that uses a TLS certificate and user/password. I have set the user and password fields of these structs.

struct mqtt_utf8 pass, user_name;
Regarding the server certificate, I have tried the way that's described in the Cellular Fund course lesson 4.2 (Using certificate.h). Didn't work. Then I decided to manually write the certificate in security tag 24 using Certificate Manager, but I still got the same error.
Before anyone suspects it's the wrong certificate I have used the exact same one on Node-red and MQTT Explorer, it works there. 
I am using nRF9160-DK, modem firmware - mfw_nrf9160_1.3.5.
It just keeps returning -111 error upon trying to connect to the broker. I looked up and -111 is for ECONNREFUSED. That's why I suspect that maybe something is wrong with managing the certificate on nRF side.
Any help is much appreciated. 
  • 0

    Hi,

    Can you take a modem trace, so that we can look at the TLS handshake to see where it fails?

    Best regards,

    Didrik

  • 0 in reply to Didrik Rokhaug

    Hello Didrik,

    The modem trace contains some sensitive data, I don't think it would be wise to post it here. But I looked through it using WireShark and it seems to be failing 95 TLSv1.2 Alert (Level: Fatal, Description: Unknown CA) due to unknown CA? 

    Again I tested with both following the instructions on lesson 4.2, generated certificate.h using python script from server certificate .crt file. 

    83 DNS Standard query response 0x10e2 A "server" CNAME "server" A "ip" NS "server" NS "server" A "IP" A "IP" AAAA 2001:700:300::209 AAAA 2001:700:300::208
84 TCP 58740 → 8883 [SYN] Seq=0 Win=6372 Len=0 MSS=708
85 TCP 8883 → 58740 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1380
86 TCP 58740 → 8883 [ACK] Seq=1 Ack=1 Win=6372 Len=0
87 TLSv1.2 Client Hello (SNI="server")
88 TCP 8883 → 58740 [ACK] Seq=1 Ack=143 Win=64098 Len=0
89 TLSv1.2 Server Hello
90 TCP 8883 → 58740 [PSH, ACK] Seq=709 Ack=143 Win=64098 Len=708 [TCP segment of a reassembled PDU]
91 TCP 58740 → 8883 [ACK] Seq=143 Ack=1417 Win=5664 Len=0
92 TLSv1.2 Certificate
93 TCP 58740 → 8883 [ACK] Seq=143 Ack=2125 Win=6159 Len=0
94 TLSv1.2 Server Key Exchange, Server Hello Done
95 TLSv1.2 Alert (Level: Fatal, Description: Unknown CA)
96 TCP 58740 → 8883 [RST, ACK] Seq=150 Ack=2226 Win=58392 Len=0

    Exact same certificate file works perfectly on Node-red and MQTT Explorer.

    I tried to also write a certificate using Certificate Manager in sec tag 24. Same problem.

  • 0 in reply to tsotnek

    Hello Didrik,

    After numerous attempts I think I got through that problem of -111 error and CONNREFUSED because of unknown CA. I think the issue was the formatting of the certificate.

    Now I have different problem error -128 on mqtt_input

    [00:44:14.755,249] <inf> Lesson4_Exercise2: RRC mode: Connected
[00:44:16.156,097] <inf> Lesson4_Exercise2: MQTT client disconnected: -128
[00:44:16.156,158] <err> Lesson4_Exercise2: Error in mqtt_input: -128
[00:44:16.156,158] <inf> Lesson4_Exercise2: Disconnecting MQTT client
[00:44:16.156,188] <err> Lesson4_Exercise2: Could not disconnect MQTT client: -128

    This is the log from Wireshark

    83 ip ip DNS Standard query response 0x36a2 A "servername" CNAME "servername" A "serverip" NS "server" NS "server" A "server" A "server" AAAA 2001:700:300::209 AAAA 2001:700:300::208
84 10.82.101.95 "serverip" TCP 56805 → 8883 [SYN] Seq=0 Win=6372 Len=0 MSS=708
85 "serverip" 10.82.101.95 TCP 8883 → 56805 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1380
86 10.82.101.95 "serverip" TCP 56805 → 8883 [ACK] Seq=1 Ack=1 Win=6372 Len=0
87 10.82.101.95 "serverip" TLSv1.2 Client Hello (SNI="servername")
88 "serverip" 10.82.101.95 TCP 8883 → 56805 [ACK] Seq=1 Ack=143 Win=64098 Len=0
89 "serverip" 10.82.101.95 TLSv1.2 Server Hello
90 "serverip" 10.82.101.95 TCP 8883 → 56805 [PSH, ACK] Seq=709 Ack=143 Win=64098 Len=708 [TCP segment of a reassembled PDU]
91 10.82.101.95 "serverip" TCP 56805 → 8883 [ACK] Seq=143 Ack=1417 Win=5664 Len=0
92 "serverip" 10.82.101.95 TLSv1.2 Certificate
93 "serverip" 10.82.101.95 TLSv1.2 Server Key Exchange, Server Hello Done
94 10.82.101.95 "serverip" TCP 56805 → 8883 [ACK] Seq=143 Ack=2125 Win=6159 Len=0
95 10.82.101.95 "serverip" TLSv1.2 Client Key Exchange
96 "serverip" 10.82.101.95 TCP 8883 → 56805 [ACK] Seq=2226 Ack=185 Win=64056 Len=0
97 10.82.101.95 "serverip" TLSv1.2 Change Cipher Spec, Encrypted Handshake Message
98 "serverip" 10.82.101.95 TCP 8883 → 56805 [ACK] Seq=2226 Ack=236 Win=64056 Len=0
99 "serverip" 10.82.101.95 TLSv1.2 Change Cipher Spec, Encrypted Handshake Message
100 10.82.101.95 "serverip" TLSv1.2 Application Data
101 "serverip" 10.82.101.95 TLSv1.2 Encrypted Alert
102 "serverip" 10.82.101.95 TCP 8883 → 56805 [FIN, ACK] Seq=2308 Ack=298 Win=64056 Len=0
103 10.82.101.95 "serverip" TCP 56805 → 8883 [ACK] Seq=298 Ack=2309 Win=5975 Len=0

    I am unable to decrypt the TLS using server private key due to this log message

    session uses Diffie-Hellman key exchange (cipher suite 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) and cannot be decrypted using a RSA private key file

  • 0 in reply to tsotnek

    What server are you connecting to?

    Some, e.g. AWS IoT Core, require that the client ID in the MQTT Connect request is the same as the CN in the device certificate.

    The first packet of Application Data will be the Connect request, and wrong Client ID/CN is the typical cause when the conenction is terminated after the first packet (at least for AWS).

  • 0 in reply to Didrik Rokhaug

    This issue was fixed by moving struct mqtt_utf8 pass, user_name; to global space. For more detail you can check Zephyr GitHub Issue: github.com/.../73089

Related