https://devzone.nordicsemi.com/f/nordic-q-a/111177/tls-error-mqtt---error-in-mqtt_connect--111Hello, I am trying to connect to the MQTT broker that uses a TLS certificate and user/password. I have set the user and password fields of these structs. struct mqtt_utf8 pass, user_name; Regarding the server certificate, I have trieden-USTelligent Community 13Thu, 06 Jun 2024 08:39:39 GMThttps://devzone.nordicsemi.com/thread/487655?ContentTypeID=1Thu, 06 Jun 2024 08:39:39 GMT137ad170-7792-4731-bb38-c0d22fbe4515:fd94cfdb-f92d-453c-afa2-694c21995013tsotnek<p>This issue was fixed by moving struct mqtt_utf8 pass, user_name; to global space. For more detail you can check Zephyr GitHub Issue:&nbsp;<a href="https://github.com/zephyrproject-rtos/zephyr/issues/73089">github.com/.../73089</a></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/484732?ContentTypeID=1Thu, 16 May 2024 14:19:51 GMT137ad170-7792-4731-bb38-c0d22fbe4515:b0684394-d237-4e96-b88d-769a266de91cDidrik Rokhaug<p>What server are you connecting to?</p> <p>Some, e.g. AWS IoT Core, require that the client ID in the MQTT Connect request is the same as the CN in the device certificate.</p> <p>The first packet of Application Data will be the Connect request, and wrong Client ID/CN is the typical cause when the conenction is terminated after the first packet (at least for AWS).</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/483532?ContentTypeID=1Wed, 15 May 2024 13:48:53 GMT137ad170-7792-4731-bb38-c0d22fbe4515:a5fa542f-dca6-45e4-b33c-6ed4a2d994ddtsotnek<p>Hello Didrik,</p> <p></p> <p>After numerous attempts I think I got through that problem of -111 error and CONNREFUSED because of unknown CA. I think the issue was the formatting of the certificate.</p> <p></p> <p>Now I have different problem error -128 on mqtt_input</p> <p></p> <p><pre class="ui-code" data-mode="text">[00:44:14.755,249] &lt;inf&gt; Lesson4_Exercise2: RRC mode: Connected [00:44:16.156,097] &lt;inf&gt; Lesson4_Exercise2: MQTT client disconnected: -128 [00:44:16.156,158] &lt;err&gt; Lesson4_Exercise2: Error in mqtt_input: -128 [00:44:16.156,158] &lt;inf&gt; Lesson4_Exercise2: Disconnecting MQTT client [00:44:16.156,188] &lt;err&gt; Lesson4_Exercise2: Could not disconnect MQTT client: -128</pre></p> <p></p> <p></p> <p>This is the log from Wireshark</p> <p></p> <p><code></code><pre class="ui-code" data-mode="text">83&#160;ip&#160;ip DNS Standard query response 0x36a2 A &quot;servername&quot; CNAME &quot;servername&quot; A &quot;serverip&quot; NS&#160;&quot;server&quot; NS &quot;server&quot; A &quot;server&quot; A &quot;server&quot; AAAA 2001:700:300::209 AAAA 2001:700:300::208 84 10.82.101.95 &quot;serverip&quot; TCP 56805 → 8883 [SYN] Seq=0 Win=6372 Len=0 MSS=708 85 &quot;serverip&quot; 10.82.101.95 TCP 8883 → 56805 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1380 86 10.82.101.95 &quot;serverip&quot; TCP 56805 → 8883 [ACK] Seq=1 Ack=1 Win=6372 Len=0 87 10.82.101.95 &quot;serverip&quot; TLSv1.2 Client Hello (SNI=&quot;servername&quot;) 88 &quot;serverip&quot; 10.82.101.95 TCP 8883 → 56805 [ACK] Seq=1 Ack=143 Win=64098 Len=0 89 &quot;serverip&quot; 10.82.101.95 TLSv1.2 Server Hello 90 &quot;serverip&quot; 10.82.101.95 TCP 8883 → 56805 [PSH, ACK] Seq=709 Ack=143 Win=64098 Len=708 [TCP segment of a reassembled PDU] 91 10.82.101.95 &quot;serverip&quot; TCP 56805 → 8883 [ACK] Seq=143 Ack=1417 Win=5664 Len=0 92 &quot;serverip&quot; 10.82.101.95 TLSv1.2 Certificate 93 &quot;serverip&quot; 10.82.101.95 TLSv1.2 Server Key Exchange, Server Hello Done 94 10.82.101.95 &quot;serverip&quot; TCP 56805 → 8883 [ACK] Seq=143 Ack=2125 Win=6159 Len=0 95 10.82.101.95 &quot;serverip&quot; TLSv1.2 Client Key Exchange 96 &quot;serverip&quot; 10.82.101.95 TCP 8883 → 56805 [ACK] Seq=2226 Ack=185 Win=64056 Len=0 97 10.82.101.95 &quot;serverip&quot; TLSv1.2 Change Cipher Spec, Encrypted Handshake Message 98 &quot;serverip&quot; 10.82.101.95 TCP 8883 → 56805 [ACK] Seq=2226 Ack=236 Win=64056 Len=0 99 &quot;serverip&quot; 10.82.101.95 TLSv1.2 Change Cipher Spec, Encrypted Handshake Message 100 10.82.101.95 &quot;serverip&quot; TLSv1.2 Application Data 101 &quot;serverip&quot; 10.82.101.95 TLSv1.2 Encrypted Alert 102 &quot;serverip&quot; 10.82.101.95 TCP 8883 → 56805 [FIN, ACK] Seq=2308 Ack=298 Win=64056 Len=0 103 10.82.101.95 &quot;serverip&quot; TCP 56805 → 8883 [ACK] Seq=298 Ack=2309 Win=5975 Len=0</pre><code></code></p> <p></p> <p>I am unable to decrypt the TLS using server private key due to this log message</p> <p><strong>session uses Diffie-Hellman key exchange (cipher suite 0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) and cannot be decrypted using a RSA private key file</strong></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/483497?ContentTypeID=1Wed, 15 May 2024 12:11:09 GMT137ad170-7792-4731-bb38-c0d22fbe4515:a8e94c10-43ba-4919-8ae8-619fbdc5bea1tsotnek<p>Hello Didrik,</p> <p></p> <p>The modem trace contains some sensitive data, I don&#39;t think it would be wise to post it here. But I looked through it using WireShark and it seems to be failing <strong>95 TLSv1.2 Alert (Level: Fatal, Description: Unknown CA)&nbsp;</strong>due to unknown CA?&nbsp;</p> <p></p> <p>Again I tested with both following the instructions on&nbsp;<span>lesson 4.2, generated certificate.h using python script from server certificate .crt file.&nbsp;</span></p> <p><code></code></p> <p></p> <p><code></code></p> <p><pre class="ui-code" data-mode="text">83 DNS Standard query response 0x10e2 A &quot;server&quot; CNAME&#160;&quot;server&quot; A &quot;ip&quot; NS&#160;&quot;server&quot; NS &quot;server&quot; A &quot;IP&quot; A&#160;&quot;IP&quot; AAAA 2001:700:300::209 AAAA 2001:700:300::208 84 TCP 58740 → 8883 [SYN] Seq=0 Win=6372 Len=0 MSS=708 85 TCP 8883 → 58740 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1380 86 TCP 58740 → 8883 [ACK] Seq=1 Ack=1 Win=6372 Len=0 87 TLSv1.2 Client Hello (SNI=&quot;server&quot;) 88 TCP 8883 → 58740 [ACK] Seq=1 Ack=143 Win=64098 Len=0 89 TLSv1.2 Server Hello 90 TCP 8883 → 58740 [PSH, ACK] Seq=709 Ack=143 Win=64098 Len=708 [TCP segment of a reassembled PDU] 91 TCP 58740 → 8883 [ACK] Seq=143 Ack=1417 Win=5664 Len=0 92 TLSv1.2 Certificate 93 TCP 58740 → 8883 [ACK] Seq=143 Ack=2125 Win=6159 Len=0 94 TLSv1.2 Server Key Exchange, Server Hello Done 95 TLSv1.2 Alert (Level: Fatal, Description: Unknown CA) 96 TCP 58740 → 8883 [RST, ACK] Seq=150 Ack=2226 Win=58392 Len=0</pre></p> <p>Exact same certificate file works perfectly on Node-red and MQTT Explorer.</p> <p></p> <p>I tried to also write a certificate using Certificate Manager in sec tag 24. Same problem.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/483467?ContentTypeID=1Wed, 15 May 2024 11:05:27 GMT137ad170-7792-4731-bb38-c0d22fbe4515:0cdd147f-ea80-457f-8f10-03ae2b38f754Didrik Rokhaug<p>Hi,</p> <p>Can you take a <a href="https://docs.nordicsemi.com/bundle/nrf-connect-cellularmonitor/page/index.html">modem trace</a>, so that we can look at the TLS handshake to see where it fails?</p> <p>Best regards,</p> <p>Didrik</p><div style="clear:both;"></div>