• State Verified Answer
  • Replies 5 replies
  • Subscribers 66 subscribers
  • Views 452 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 326865
Options

TLS ERROR MQTT - Error in mqtt_connect: -111

tsotnek

Hello, 

I am trying to connect to the MQTT broker that uses a TLS certificate and user/password. I have set the user and password fields of these structs.

struct mqtt_utf8 pass, user_name;
Regarding the server certificate, I have tried the way that's described in the Cellular Fund course lesson 4.2 (Using certificate.h). Didn't work. Then I decided to manually write the certificate in security tag 24 using Certificate Manager, but I still got the same error.
Before anyone suspects it's the wrong certificate I have used the exact same one on Node-red and MQTT Explorer, it works there. 
I am using nRF9160-DK, modem firmware - mfw_nrf9160_1.3.5.
It just keeps returning -111 error upon trying to connect to the broker. I looked up and -111 is for ECONNREFUSED. That's why I suspect that maybe something is wrong with managing the certificate on nRF side.
Any help is much appreciated. 
Parents
  • 0

    Hi,

    Can you take a modem trace, so that we can look at the TLS handshake to see where it fails?

    Best regards,

    Didrik

  • 0 in reply to Didrik Rokhaug

    Hello Didrik,

    The modem trace contains some sensitive data, I don't think it would be wise to post it here. But I looked through it using WireShark and it seems to be failing 95 TLSv1.2 Alert (Level: Fatal, Description: Unknown CA) due to unknown CA? 

    Again I tested with both following the instructions on lesson 4.2, generated certificate.h using python script from server certificate .crt file. 

    83 DNS Standard query response 0x10e2 A "server" CNAME "server" A "ip" NS "server" NS "server" A "IP" A "IP" AAAA 2001:700:300::209 AAAA 2001:700:300::208
84 TCP 58740 → 8883 [SYN] Seq=0 Win=6372 Len=0 MSS=708
85 TCP 8883 → 58740 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1380
86 TCP 58740 → 8883 [ACK] Seq=1 Ack=1 Win=6372 Len=0
87 TLSv1.2 Client Hello (SNI="server")
88 TCP 8883 → 58740 [ACK] Seq=1 Ack=143 Win=64098 Len=0
89 TLSv1.2 Server Hello
90 TCP 8883 → 58740 [PSH, ACK] Seq=709 Ack=143 Win=64098 Len=708 [TCP segment of a reassembled PDU]
91 TCP 58740 → 8883 [ACK] Seq=143 Ack=1417 Win=5664 Len=0
92 TLSv1.2 Certificate
93 TCP 58740 → 8883 [ACK] Seq=143 Ack=2125 Win=6159 Len=0
94 TLSv1.2 Server Key Exchange, Server Hello Done
95 TLSv1.2 Alert (Level: Fatal, Description: Unknown CA)
96 TCP 58740 → 8883 [RST, ACK] Seq=150 Ack=2226 Win=58392 Len=0

    Exact same certificate file works perfectly on Node-red and MQTT Explorer.

    I tried to also write a certificate using Certificate Manager in sec tag 24. Same problem.

  • 0 in reply to tsotnek

    Hello Didrik,

    After numerous attempts I think I got through that problem of -111 error and CONNREFUSED because of unknown CA. I think the issue was the formatting of the certificate.

    Now I have different problem error -128 on mqtt_input

    [00:44:14.755,249] <inf> Lesson4_Exercise2: RRC mode: Connected
[00:44:16.156,097] <inf> Lesson4_Exercise2: MQTT client disconnected: -128
[00:44:16.156,158] <err> Lesson4_Exercise2: Error in mqtt_input: -128
[00:44:16.156,158] <inf> Lesson4_Exercise2: Disconnecting MQTT client
[00:44:16.156,188] <err> Lesson4_Exercise2: Could not disconnect MQTT client: -128

    This is the log from Wireshark

    83 ip ip DNS Standard query response 0x36a2 A "servername" CNAME "servername" A "serverip" NS "server" NS "server" A "server" A "server" AAAA 2001:700:300::209 AAAA 2001:700:300::208
84 10.82.101.95 "serverip" TCP 56805 → 8883 [SYN] Seq=0 Win=6372 Len=0 MSS=708
85 "serverip" 10.82.101.95 TCP 8883 → 56805 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1380
86 10.82.101.95 "serverip" TCP 56805 → 8883 [ACK] Seq=1 Ack=1 Win=6372 Len=0
87 10.82.101.95 "serverip" TLSv1.2 Client Hello (SNI="servername")
88 "serverip" 10.82.101.95 TCP 8883 → 56805 [ACK] Seq=1 Ack=143 Win=64098 Len=0
89 "serverip" 10.82.101.95 TLSv1.2 Server Hello
90 "serverip" 10.82.101.95 TCP 8883 → 56805 [PSH, ACK] Seq=709 Ack=143 Win=64098 Len=708 [TCP segment of a reassembled PDU]
91 10.82.101.95 "serverip" TCP 56805 → 8883 [ACK] Seq=143 Ack=1417 Win=5664 Len=0
92 "serverip" 10.82.101.95 TLSv1.2 Certificate
93 "serverip" 10.82.101.95 TLSv1.2 Server Key Exchange, Server Hello Done
94 10.82.101.95 "serverip" TCP 56805 → 8883 [ACK] Seq=143 Ack=2125 Win=6159 Len=0
95 10.82.101.95 "serverip" TLSv1.2 Client Key Exchange
96 "serverip" 10.82.101.95 TCP 8883 → 56805 [ACK] Seq=2226 Ack=185 Win=64056 Len=0
97 10.82.101.95 "serverip" TLSv1.2 Change Cipher Spec, Encrypted Handshake Message
98 "serverip" 10.82.101.95 TCP 8883 → 56805 [ACK] Seq=2226 Ack=236 Win=64056 Len=0
99 "serverip" 10.82.101.95 TLSv1.2 Change Cipher Spec, Encrypted Handshake Message
100 10.82.101.95 "serverip" TLSv1.2 Application Data
101 "serverip" 10.82.101.95 TLSv1.2 Encrypted Alert
102 "serverip" 10.82.101.95 TCP 8883 → 56805 [FIN, ACK] Seq=2308 Ack=298 Win=64056 Len=0
103 10.82.101.95 "serverip" TCP 56805 → 8883 [ACK] Seq=298 Ack=2309 Win=5975 Len=0

    I am unable to decrypt the TLS using server private key due to this log message

    session uses Diffie-Hellman key exchange (cipher suite 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) and cannot be decrypted using a RSA private key file

Reply
  • 0 in reply to tsotnek

    Hello Didrik,

    After numerous attempts I think I got through that problem of -111 error and CONNREFUSED because of unknown CA. I think the issue was the formatting of the certificate.

    Now I have different problem error -128 on mqtt_input

    [00:44:14.755,249] <inf> Lesson4_Exercise2: RRC mode: Connected
[00:44:16.156,097] <inf> Lesson4_Exercise2: MQTT client disconnected: -128
[00:44:16.156,158] <err> Lesson4_Exercise2: Error in mqtt_input: -128
[00:44:16.156,158] <inf> Lesson4_Exercise2: Disconnecting MQTT client
[00:44:16.156,188] <err> Lesson4_Exercise2: Could not disconnect MQTT client: -128

    This is the log from Wireshark

    83 ip ip DNS Standard query response 0x36a2 A "servername" CNAME "servername" A "serverip" NS "server" NS "server" A "server" A "server" AAAA 2001:700:300::209 AAAA 2001:700:300::208
84 10.82.101.95 "serverip" TCP 56805 → 8883 [SYN] Seq=0 Win=6372 Len=0 MSS=708
85 "serverip" 10.82.101.95 TCP 8883 → 56805 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1380
86 10.82.101.95 "serverip" TCP 56805 → 8883 [ACK] Seq=1 Ack=1 Win=6372 Len=0
87 10.82.101.95 "serverip" TLSv1.2 Client Hello (SNI="servername")
88 "serverip" 10.82.101.95 TCP 8883 → 56805 [ACK] Seq=1 Ack=143 Win=64098 Len=0
89 "serverip" 10.82.101.95 TLSv1.2 Server Hello
90 "serverip" 10.82.101.95 TCP 8883 → 56805 [PSH, ACK] Seq=709 Ack=143 Win=64098 Len=708 [TCP segment of a reassembled PDU]
91 10.82.101.95 "serverip" TCP 56805 → 8883 [ACK] Seq=143 Ack=1417 Win=5664 Len=0
92 "serverip" 10.82.101.95 TLSv1.2 Certificate
93 "serverip" 10.82.101.95 TLSv1.2 Server Key Exchange, Server Hello Done
94 10.82.101.95 "serverip" TCP 56805 → 8883 [ACK] Seq=143 Ack=2125 Win=6159 Len=0
95 10.82.101.95 "serverip" TLSv1.2 Client Key Exchange
96 "serverip" 10.82.101.95 TCP 8883 → 56805 [ACK] Seq=2226 Ack=185 Win=64056 Len=0
97 10.82.101.95 "serverip" TLSv1.2 Change Cipher Spec, Encrypted Handshake Message
98 "serverip" 10.82.101.95 TCP 8883 → 56805 [ACK] Seq=2226 Ack=236 Win=64056 Len=0
99 "serverip" 10.82.101.95 TLSv1.2 Change Cipher Spec, Encrypted Handshake Message
100 10.82.101.95 "serverip" TLSv1.2 Application Data
101 "serverip" 10.82.101.95 TLSv1.2 Encrypted Alert
102 "serverip" 10.82.101.95 TCP 8883 → 56805 [FIN, ACK] Seq=2308 Ack=298 Win=64056 Len=0
103 10.82.101.95 "serverip" TCP 56805 → 8883 [ACK] Seq=298 Ack=2309 Win=5975 Len=0

    I am unable to decrypt the TLS using server private key due to this log message

    session uses Diffie-Hellman key exchange (cipher suite 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) and cannot be decrypted using a RSA private key file

Children
Related