Hello,
I am trying to connect to the MQTT broker that uses a TLS certificate and user/password. I have set the user and password fields of these structs.
Hello,
I am trying to connect to the MQTT broker that uses a TLS certificate and user/password. I have set the user and password fields of these structs.
Hi,
Can you take a modem trace, so that we can look at the TLS handshake to see where it fails?
Best regards,
Didrik
Hello Didrik,
The modem trace contains some sensitive data, I don't think it would be wise to post it here. But I looked through it using WireShark and it seems to be failing 95 TLSv1.2 Alert (Level: Fatal, Description: Unknown CA) due to unknown CA?
Again I tested with both following the instructions on lesson 4.2, generated certificate.h using python script from server certificate .crt file.
83 DNS Standard query response 0x10e2 A "server" CNAME "server" A "ip" NS "server" NS "server" A "IP" A "IP" AAAA 2001:700:300::209 AAAA 2001:700:300::208 84 TCP 58740 → 8883 [SYN] Seq=0 Win=6372 Len=0 MSS=708 85 TCP 8883 → 58740 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1380 86 TCP 58740 → 8883 [ACK] Seq=1 Ack=1 Win=6372 Len=0 87 TLSv1.2 Client Hello (SNI="server") 88 TCP 8883 → 58740 [ACK] Seq=1 Ack=143 Win=64098 Len=0 89 TLSv1.2 Server Hello 90 TCP 8883 → 58740 [PSH, ACK] Seq=709 Ack=143 Win=64098 Len=708 [TCP segment of a reassembled PDU] 91 TCP 58740 → 8883 [ACK] Seq=143 Ack=1417 Win=5664 Len=0 92 TLSv1.2 Certificate 93 TCP 58740 → 8883 [ACK] Seq=143 Ack=2125 Win=6159 Len=0 94 TLSv1.2 Server Key Exchange, Server Hello Done 95 TLSv1.2 Alert (Level: Fatal, Description: Unknown CA) 96 TCP 58740 → 8883 [RST, ACK] Seq=150 Ack=2226 Win=58392 Len=0
Exact same certificate file works perfectly on Node-red and MQTT Explorer.
I tried to also write a certificate using Certificate Manager in sec tag 24. Same problem.
Hello Didrik,
After numerous attempts I think I got through that problem of -111 error and CONNREFUSED because of unknown CA. I think the issue was the formatting of the certificate.
Now I have different problem error -128 on mqtt_input
[00:44:14.755,249] <inf> Lesson4_Exercise2: RRC mode: Connected [00:44:16.156,097] <inf> Lesson4_Exercise2: MQTT client disconnected: -128 [00:44:16.156,158] <err> Lesson4_Exercise2: Error in mqtt_input: -128 [00:44:16.156,158] <inf> Lesson4_Exercise2: Disconnecting MQTT client [00:44:16.156,188] <err> Lesson4_Exercise2: Could not disconnect MQTT client: -128
This is the log from Wireshark
83 ip ip DNS Standard query response 0x36a2 A "servername" CNAME "servername" A "serverip" NS "server" NS "server" A "server" A "server" AAAA 2001:700:300::209 AAAA 2001:700:300::208 84 10.82.101.95 "serverip" TCP 56805 → 8883 [SYN] Seq=0 Win=6372 Len=0 MSS=708 85 "serverip" 10.82.101.95 TCP 8883 → 56805 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1380 86 10.82.101.95 "serverip" TCP 56805 → 8883 [ACK] Seq=1 Ack=1 Win=6372 Len=0 87 10.82.101.95 "serverip" TLSv1.2 Client Hello (SNI="servername") 88 "serverip" 10.82.101.95 TCP 8883 → 56805 [ACK] Seq=1 Ack=143 Win=64098 Len=0 89 "serverip" 10.82.101.95 TLSv1.2 Server Hello 90 "serverip" 10.82.101.95 TCP 8883 → 56805 [PSH, ACK] Seq=709 Ack=143 Win=64098 Len=708 [TCP segment of a reassembled PDU] 91 10.82.101.95 "serverip" TCP 56805 → 8883 [ACK] Seq=143 Ack=1417 Win=5664 Len=0 92 "serverip" 10.82.101.95 TLSv1.2 Certificate 93 "serverip" 10.82.101.95 TLSv1.2 Server Key Exchange, Server Hello Done 94 10.82.101.95 "serverip" TCP 56805 → 8883 [ACK] Seq=143 Ack=2125 Win=6159 Len=0 95 10.82.101.95 "serverip" TLSv1.2 Client Key Exchange 96 "serverip" 10.82.101.95 TCP 8883 → 56805 [ACK] Seq=2226 Ack=185 Win=64056 Len=0 97 10.82.101.95 "serverip" TLSv1.2 Change Cipher Spec, Encrypted Handshake Message 98 "serverip" 10.82.101.95 TCP 8883 → 56805 [ACK] Seq=2226 Ack=236 Win=64056 Len=0 99 "serverip" 10.82.101.95 TLSv1.2 Change Cipher Spec, Encrypted Handshake Message 100 10.82.101.95 "serverip" TLSv1.2 Application Data 101 "serverip" 10.82.101.95 TLSv1.2 Encrypted Alert 102 "serverip" 10.82.101.95 TCP 8883 → 56805 [FIN, ACK] Seq=2308 Ack=298 Win=64056 Len=0 103 10.82.101.95 "serverip" TCP 56805 → 8883 [ACK] Seq=298 Ack=2309 Win=5975 Len=0
I am unable to decrypt the TLS using server private key due to this log message
session uses Diffie-Hellman key exchange (cipher suite 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) and cannot be decrypted using a RSA private key file
What server are you connecting to?
Some, e.g. AWS IoT Core, require that the client ID in the MQTT Connect request is the same as the CN in the device certificate.
The first packet of Application Data will be the Connect request, and wrong Client ID/CN is the typical cause when the conenction is terminated after the first packet (at least for AWS).
What server are you connecting to?
Some, e.g. AWS IoT Core, require that the client ID in the MQTT Connect request is the same as the CN in the device certificate.
The first packet of Application Data will be the Connect request, and wrong Client ID/CN is the typical cause when the conenction is terminated after the first packet (at least for AWS).
This issue was fixed by moving struct mqtt_utf8 pass, user_name; to global space. For more detail you can check Zephyr GitHub Issue: github.com/.../73089