This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

nRF9160 Using MQTT with TLS

Hi everyone,

I am looking at using MQTT v3.1.1 with TLS 1.2, to send data to Azure IoT Hub.

I tested the MQTT Simple sample and it worked perfeclty. So I am modifying this project to enable TLS. To do so I followed those threads:

https://devzone.nordicsemi.com/nordic/nordic-blog/b/blog/posts/enabling-and-testing-tls-in-mqtt_5f00_simple

https://github.com/joakimtoe/fw-nrfconnect-nrf/commit/36532a8ca60bf7139a988b5cbb4e6cb47948a9fa#diff-607096fd76f1fd14e4c9453aa1dc8fd3

https://devzone.nordicsemi.com/f/nordic-q-a/44921/nrf9160-tls-and-mqtt

https://devzone.nordicsemi.com/f/nordic-q-a/49339/implementing-tls-with-mqtt-in-nrf9160

Right now I am able to create the TLS socket but I am stucked at the next step which is the connection step. 

When defining  tls_config->peer_verify = 2; I got back ERROR: mqtt_connect -45.

And when I define it to 0 or 1 there is no response, as if the nRF9160 is stucked somewhere.

My log is the following for peer_verify=2. It is the same for 0/1, but without the error code.

It has to be noted that the certificates I used are working in an application on my computer. They are placed here in certificates.h and are using the right formatting.

In my project folder, my prof.conf file is the following:

The Kconfig file there is the following:

And the main.c is :

Looking at errno.h, I understand the error -45 as "Operation not supported on socket".

But which operation is not supported ?

How can I fix this ? And why is it hanging out when I use peer-verify=0 or 1 ?

Thank you in advance

Parents
  • Hi,

     

    Q1: How large are your certificates?

    They are casted from const to non-const, meaning that they'll be stacked. Increasing the main stack size might be beneficial (double the heap as well, testing purposes):

     

    Q2: Do you chain your CA root? Ie: having one root auth. certificate and a second one? The .peer_verify value of 2 indicates that you shall verify the hostname, while 1 states optional, and 0 is do not verify.

    If your broker requires key-pair + CA, you need to provide a CA to the host you're connecting to + a root CA (ie: a chained CA certificate)

    In C format, it'll look like this: https://devzone.nordicsemi.com/f/nordic-q-a/55393/nrf9160-adding-intermediate-certificates-to-the-tls-engine/225697#225697

     

    Q3: When you're setting .peer_verify=1, does it hang forever? Does it print anything? Have you checked if the firmware is stuck somewhere?

     

    Q4: Have you checked if TLS section is working, by for instance connecting to mosquitto? You can connect to mosquitto, https://test.mosquitto.org/, on port 8883 without any certificates to see if your TLS setup itself is working. In this case, you can set peer_verify=1, and tls_config->sec_tag_count = 0 , tls_config->sec_tag_list = NULL

     

    Kind regards,

    HĂĄkon

  • Hi HĂĄkon,

    Q1 : I have change the main stack size and memory pool size as you showed. And the issue is stil there

    Q2: I have the Root CA, the Client CA and the Client Key in a header file certificates.h. It looks like this :

    I now answer first Q4 as I did it before Q3 and it showed me interesting things 

    Q4: Yes I can connect to mosquitto and wait for the event with the modification you showed. The first time I got the mqtt event handler being triggered with :

     

    But not the other times. I changed the clien Id and restarted the the DK but nothing appears. So I added a printk call after the poll function and I got :

    I print "After Poll" just after the poll function

    Q3 : Now I am back with my DNS, and the certificates. I am testing with peer-verify =1and I am looking at were it is hanging out.

    I have left the "After Poll" printk call, and I have added a "CONNECTED" printk call after the mqtt_connect function and a "FDS init done" after the fds_init function like here :

    And I got this : 

    So it seems the connection is successfull but that I got no response from server like with the test on mosquitto

  • Hi,

     

    The mqtt_simple sample will just connect, and subscribe to a given topic. Not much more will happen there, unless you publish to the specific topic that the nrf is subscribed to.

    Poll will stand there for CONFIG_MQTT_KEEPALIVE seconds before sending a keep-alive, so it might not do much unless you wait 60 seconds (default value), where then should print "after poll" again.

    I did this exact setup with mqtt_simple (.peer_verify = 1 for testing purposes), connecting to mqtt.eclipse.org port 8883, and I'm not seeing the same failure as you.

    Note that I am not testing with test.mosquitto.org. It seems to be down? I get a timed out request back when I try to connect to port 8883, which I also get if I use mosquitto_sub on my PC.

     

    Have you removed the prints in the mqtt_evt_handler() ? You do not seem to get any mqtt-related prints from that one.

    PS: I see that you're using ncs v1.1.0. We have released v1.2.0, but this sample should work on both.

     

    Kind regards,

    HĂĄkon

  • Hi HĂĄkon,

    I also got the time out if I try with test.mosquito.org. Yes it seems to be down

    I did not remove the printk calls from the mqtt_evt_handler. I also tried with mqtt.eclipse.org and I have the same thing : the mqtt_event handler is never called

  • I tested with both v1.1.0 and v1.2.0, and get this behavior:

    Here's my source for reference: mqtt_simple.zip

    Please note that the .peer_verify shall be '2' in an actual product, as we are currently not performing hostname verification.

     

    Could you test this and see if you still do not get connected and suback callback?

     

    Kind regards,

    HĂĄkon

  • Hi HĂĄkon,,

    I have totally removed and reinstalled the ncs/nrf repo.

    With your code and with my code with TLS (no certificates) and with hostname : test.mosquitto.org, I got the same log as you, with the mqtt_event_handler working.

    Now with my certificates for Azure IoT Hub :

    - If peer_verify=2 : I got ERROR: mqtt_connect -45 when I try to connect (both with J-Link RTT Viewer and the debug terminal)

    - If peer_verify= 1 : In my J-Link RTT Viewer, I have nothing after the "IPv4 Address found 13.95.15.251" statement. But when I use the debug terminal from Segger Embedded Studio, I got :

    The only differences between my Azure Mqtt code and the test on mosquitto is that in prj.conf I added :

    And in my main.c, I changed the configuration to :

Reply
  • Hi HĂĄkon,,

    I have totally removed and reinstalled the ncs/nrf repo.

    With your code and with my code with TLS (no certificates) and with hostname : test.mosquitto.org, I got the same log as you, with the mqtt_event_handler working.

    Now with my certificates for Azure IoT Hub :

    - If peer_verify=2 : I got ERROR: mqtt_connect -45 when I try to connect (both with J-Link RTT Viewer and the debug terminal)

    - If peer_verify= 1 : In my J-Link RTT Viewer, I have nothing after the "IPv4 Address found 13.95.15.251" statement. But when I use the debug terminal from Segger Embedded Studio, I got :

    The only differences between my Azure Mqtt code and the test on mosquitto is that in prj.conf I added :

    And in my main.c, I changed the configuration to :

Children
  • Hi,

      

    thomallain said:
    If peer_verify=2 : I got ERROR: mqtt_connect -45 when I try to connect (both with J-Link RTT Viewer and the debug terminal)

     This makes sense if you do not have a root CA to verify the hostname against.

     

    thomallain said:
    If peer_verify= 1 : In my J-Link RTT Viewer, I have nothing after the "IPv4 Address found 13.95.15.251" statement. But when I use the debug terminal from Segger Embedded Studio, I got :

    -57 -> errno.h::ENOTCONN

    -61 -> errno.h::ECONNREFUSED.

     

    Have you tried to connect using your generated certificates on a PC, using mosquitto_sub / mosquitto_pub, to see if you connect successfully ?

    There's a guide on using certificates here and on stack overflow:

    http://www.steves-internet-guide.com/mosquitto_pub-sub-clients/

    https://stackoverflow.com/questions/34491799/secured-ssl-connection-with-mosquitto-broker

     

    Kind regards,

    HĂĄkon

  • Hi HĂĄkon,

    I have followed what you said, and I have been able to connect to Azure IoT Hub both with my computer and the nRF9160.

    First I look at using paho_mqtt to connect to Azure IoT Hub. I found out that I had to use a username looking like this : hostname/deviceId/API_version. I also found out that as my certificates were self-signed I could not use the certificates verification, so I had to remove it (for the nRF9160 it means peer_verify=0)

    Here is my python code:

    I then added those changes to my nRF9160 project, and I added a publish call to sent a message to Azure.

    Here is my main :

    Here is my log :

    It is not perfect yet as it sent a lot of message before disconnect but I have at least communication working.

    Thank you very much for you help

    EDIT :

    To decrease the number of message I sent I have added a IF statement on the polling, within which I call the publish function.