TLS handshake in aws_iot_connect() function


Currently we working on a project that uses:

  • nRF9160
  •  Zyphre OS
  •  Segger Embedded Studio for  Arm (Nordic Edition) V4.52
  •  SDK v1.3

In  nRF Connect SDK - AWS IoT  it mentions that the TLS handshake is performed in the aws_iot_connect() function, specifically in the following note:

After a thorough review we have not found where the TLS handshake is do it, We think the TLS handshake is doing in some of these functions (zephyr\subsys\net\lib\mqtt\mqtt.c):

  • mqtt_transport_connect(client);
  • connect_request_encode(client, &packet);
  • mqtt_transport_write(client, packet.cur,packet.end - packet.cur);

Could someone from your team tell us where is the TLS handshake inside the aws_iot_connect() ?

Thanks a lot,

René D.

  • Hi,

    aws_iot_connect() calls mqtt_connect() which calls client_connect() which calls mqtt_transport_connect().

    mqtt_transport_connect() calls transport_fn[client->transport.type].connect(). The MQTT library supports three transport layers, TCP, TLS and websockets. Each of the transports has defined a struct, filled with transport specific functions, and placed those structs in the transport_fn array. This way, the MQTT library can use a single interface for both transports.

    As you are using TLS, mqtt_transport_connect() will call mqtt_client_tls_connect() in mqtt_transport_socket_tls.c. In mqtt_client_tls_connect(), you will see the socket be created, and the relevant socket options being set. In the end, mqtt_client_tls_connect() calls connect().

    The call to connect() will go through Zephyr's socket offloading layer (you are free to explore the details of this yourself), and end up nrf91_socket_offload_connect() in nrf/lib/bsdlib/nrf91_socket.c. Here, we convert from Zephyr's sockets, to bsdlib's nrf_sockets. The call to connect() ends up converted to a call to nrf_connect().

    nrf_connect() is implemented in bsdlib, which is only distributed as a pre-compiled library, so our exploration ends here. However, bsdlib will forward the function call to the modem, which is where the TLS stack resides.

    In short, the call to aws_iot_connect() will go through a lot of intermediate functions, before ending up in the modem, which is where the magic happens.

    Best regards,


  • Hello, thanks for your answer, it describes very well the calls to the functions. But It not mentioning anything related to TLS Handshake therefore I am not answering my question.

    What we want to know is:

    Where is the TLS Hanshake done, mentioned in the note that I pasted in my previous comment? The notes are in the Nordic Wiki for that reason I question to your Team.

    Best Regards,

    René D.

  • The TLS stack is in the modem, so the modem will handle the TLS handshake.

    Why do you want to know where the TLS handshake happens?

  • Hello,

    We are porting aws-iot-device-sdk-embedded-C, and TLS handshake is requirement of the connect function parameter,

    We want to know which function we need to call from Cortex M33 to trigger that the modem do the TLS handshake.

    René D.

  • A TLS handshake will be done if you call connect() on  a TLS socket.

    A TLS socket is created by calling socket(sa_family, SOCK_STREAM, IPPROTO_TLS_1_2), where sa_family is the IP version (AF_INET for IPv4 or AF_INET6 for IPv6)