• State Verified Answer
  • Replies 18 replies
  • Subscribers 74 subscribers
  • Views 3838 views
  • Users 0 members are here
Attachments (6) Download All
Nordic Case Info
  • Case ID: 267878
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

mqtts reported an error when creating a socket: Operation not supported on socket.

xinjiang

I want nRF9160 to do mqtts connection without certificate.

Modem FW:1.2.3

Here is my mqtt client_init:

static int client_init(struct mqtt_client *client)
{
	int err;

	mqtt_client_init(client);

	err = broker_init();
	if (err) {
		LOG_ERR("Failed to initialize broker connection");
		return err;
	}

	/* MQTT client configuration */
	client->broker = &broker;
	client->evt_cb = mqtt_evt_handler;
	client->client_id.utf8 = (uint8_t *)CONFIG_MQTT_CLIENT_ID;
	client->client_id.size = strlen(CONFIG_MQTT_CLIENT_ID);
	client->password = NULL;
	client->user_name = NULL;
	client->protocol_version = MQTT_VERSION_3_1_1;

	/* MQTT buffers configuration */
	client->rx_buf = rx_buffer;
	client->rx_buf_size = sizeof(rx_buffer);
	client->tx_buf = tx_buffer;
	client->tx_buf_size = sizeof(tx_buffer);

	/* MQTT transport configuration */
	struct mqtt_sec_config *tls_cfg = &(client->transport).tls.config;
	static sec_tag_t sec_tag_list[] = { CONFIG_MQTT_TLS_SEC_TAG };

	LOG_INF("TLS enabled");
	client->transport.type = MQTT_TRANSPORT_SECURE;

	tls_cfg->peer_verify = TLS_PEER_VERIFY_NONE;
	tls_cfg->cipher_count = 0;
	tls_cfg->cipher_list = NULL;
	tls_cfg->sec_tag_count = 0;
	tls_cfg->sec_tag_list = NULL;
	tls_cfg->hostname = CONFIG_MQTT_BROKER_HOSTNAME;

	tls_cfg->session_cache = IS_ENABLED(CONFIG_MQTT_TLS_SESSION_CACHING) ?
					    TLS_SESSION_CACHE_ENABLED :
					    TLS_SESSION_CACHE_DISABLED;

	return err;
}

When I use 9160DK, mqtts is connected normally. But when using the 9160 chip, there is an error in the connection. Here is my log:

[00:00:00.243,316] <inf> main: Connecting to LTE network.
[00:00:00.243,316] <inf> main: This may take several minutes.
[00:00:00.243,377] <inf> flash_control: No apn found, use default apn
[00:00:00.249,908] <inf> main: Set to the default APN CMNBIOT2.
[00:00:00.258,087] <inf> lte_lc: Using legacy LTE PCO mode...
[00:00:02.258,117] <inf> main: CSCON : 1
[18:48:50.833]收←◆[00:00:04.283,386] <inf> main: Connected to LTE network.

[00:00:04.286,163] <inf> mqtt_engine: IPv4 Address found 47.106.164.80
[00:00:04.286,193] <inf> mqtt_engine: TLS enabled
[00:00:04.286,468] <dbg> net_mqtt_sock_tls.mqtt_client_tls_connect: (0x20015220): Created socket 1
[00:00:04.660,552] <err> mqtt_engine: mqtt_connect -45
[00:00:04.660,583] <err> mqtt_engine: ERROR: mqtt_disconnect -57

-45 is EOPNOTSUPP, and typically indicates that you have written wrong certificates to the device. But I had peer_verify set to 0. Why is there a -45 error?

Parents
  • 0

    Hi!

    So when running the application on the nRF9160 DK it is able to establish a connection, but when using your custom board it is not? In this case, could you provide the schematics from the board so your HW engineers can take a look?

    You are correct, when Peer Verification is disabled the error -45 most likely does not mean there is something wrong with the certificates. -45 just means EOPNOTSUPP 45 /**< Operation not supported */ so it can come from other issues as well.

    I would also like a modem trace from when the connection fails. To take a modem trace, enable "CONFIG_NRF_MODEM_LIB_TRACE_ENABLED" in your application and flash it to the board. Then open the Trace Collector application in nRF Connect for Desktop and "Start Capture" while the application is running. The trace file size should increase if everything is working properly.

    Best regards,

    Heidi

  • 0 in reply to Heidi

    I reproduced this phenomenon on another DK board. Attached is the captured modem info.0535.trace-2021-04-13T01-58-55.612Z.bin

  • 0 in reply to Heidi

    All certificates present in the DK board:

    [15:16:11.422]收←◆*** Booting Zephyr OS build v2.4.99-ncs1  ***
The AT host sample started

[15:16:17.557]发→◇AT%CMNG=1
□
[15:16:17.572]收←◆%CMNG: 0,3,"0303030303030303030303030303030303030303030303030303030303030303"
%CMNG: 0,4,"0404040404040404040404040404040404040404040404040404040404040404"
%CMNG: 24,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 6123,4,"0404040404040404040404040404040404040404040404040404040404040404"
%CMNG: 123456,3,"0303030303030303030303030303030303030303030303030303030303030303"
%CMNG: 123456,4,"0404040404040404040404040404040404040404040404040404040404040404"
%CMNG: 16842753,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 16842753,1,"0101010101010101010101010101010101010101010101010101010101010101"
%CMNG: 16842753,2,"0202020202020202020202020202020202020202020202020202020202020202"
%CMNG: 35724861,3,"0303030303030303030303030303030303030303030303030303030303030303"
%CMNG: 35724861,4,"0404040404040404040404040404040404040404040404040404040404040404"
OK

    Demo is in the attachment. mqtt_simple_test.rar

  • 0 in reply to xinjiang

    I found through a breakpoint test that the return value of nrf_connect() on the eleventh line is -1.

    static int nrf91_socket_offload_connect(void *obj, const struct sockaddr *addr,
					socklen_t addrlen)
{
	int sd = OBJ_TO_SD(obj);
	int retval;

	if (addr->sa_family == AF_INET) {
		struct nrf_sockaddr_in ipv4;

		z_to_nrf_ipv4(addr, &ipv4);
		retval = nrf_connect(sd, (const struct nrf_sockaddr_in *)&ipv4,
				     sizeof(struct nrf_sockaddr_in));
	} else if (addr->sa_family == AF_INET6) {
		struct nrf_sockaddr_in6 ipv6;

		z_to_nrf_ipv6(addr, &ipv6);
		retval = nrf_connect(sd, (const struct nrf_sockaddr *)&ipv6,
				  sizeof(struct nrf_sockaddr_in6));
	} else {
		/* Pass in raw to library as it is non-IP address. */
		retval = nrf_connect(sd, (void *)addr, addrlen);
		if (retval < 0) {
			/* Not supported by library. */
			goto error;
		}
	}

	return retval;

error:
	retval = -1;
	errno = ENOTSUP;
	return retval;
}

  • 0 in reply to xinjiang

    Hi! 

    I'm unfortunately not able to reproduce the issue you're seeing, so I'm not sure where to go from here.

    The application you attached works fine on my DK. The only changes I made were changing the configurations to connect with LTE-M instead of NB-IoT because that's what I have available. 

    Your modem trace was possibly missing some information. Perhaps you can try to generate a new one?

  • 0 in reply to Heidi

    This is the modem information I re-crawled. Can you analyze what went wrong?1348.trace-2021-04-28T02-21-08.402Z.bin

  • +1 in reply to xinjiang

    Hi!

    From the modem trace and the return of %CMNG it looks like there is a Root CA stored in sec_tag 24 and sec_tag 16842753 but the TLS connection is trying to be establishing using sec_tag 1, where there is no root certificate. 

    Try using the correct sec_tag in your application, and the modem should be able to find the root certificate.

    Best regards,

    Heidi

Reply
  • +1 in reply to xinjiang

    Hi!

    From the modem trace and the return of %CMNG it looks like there is a Root CA stored in sec_tag 24 and sec_tag 16842753 but the TLS connection is trying to be establishing using sec_tag 1, where there is no root certificate. 

    Try using the correct sec_tag in your application, and the modem should be able to find the root certificate.

    Best regards,

    Heidi

Children
  • 0 in reply to Heidi

    I wrote the root certificate in sec_tag 1 of the problematic DK, and the mqtt connection succeeded. I really appreciate your help. 

     

    But I still have a question. Normal DK does not have a root certificate stored in seg 1. Why can this normal DK connect successfully?

    Like this

    Unfortunately, my custom board still reported -45 error after writing the root certificate in sec_tag 1.  After setting peer_verify to 0, will the sec_tag used by each board be different?

    I don't know where to write the root certificate of the custom board to ensure a successful connection. Can you help me analyze the modem info of the custom board?trace-2021-05-06T03-31-54.133Z.bin

    trace-2021-05-07T11-27-12.676Z.bin

  • 0 in reply to xinjiang

    Hi!

    xinjiang said:
    Why can this normal DK connect successfully?

     My guess is there's some subtle difference in the set-up or app running on this DK. What's the return of %CMNG in the "normal" DK?

    From the trace, I can see that the TLS connection is trying to open using the root certificate in sec_tag 1. Try to run %CMNG to see if the certificate actually gets written. 

    In the meantime, I'll have our modem experts take a look at the trace as well.

    Best regards,

    Heidi

  • 0 in reply to Heidi

    Hi!

    This is the certificate stored in the "normal" DK and trace. It can connect to tls normally.trace-2021-05-12T01-59-10.472Z.bin

    *** Booting Zephyr OS build v2.4.99-ncs1  ***
The AT host sample started

AT+CGMR
mfw_nrf9160_1.3.0
OK

AT%CMNG=1
%CMNG: 0,3,"0303030303030303030303030303030303030303030303030303030303030303"
%CMNG: 0,4,"0404040404040404040404040404040404040404040404040404040404040404"
%CMNG: 0,6,"0606060606060606060606060606060606060606060606060606060606060606"
%CMNG: 6123,4,"0404040404040404040404040404040404040404040404040404040404040404"
%CMNG: 16842753,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 16842753,1,"0101010101010101010101010101010101010101010101010101010101010101"
%CMNG: 16842753,2,"0202020202020202020202020202020202020202020202020202020202020202"
%CMNG: 16842754,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 16842754,1,"0101010101010101010101010101010101010101010101010101010101010101"
%CMNG: 16842754,2,"0202020202020202020202020202020202020202020202020202020202020202"
%CMNG: 35724859,3,"0303030303030303030303030303030303030303030303030303030303030303"
%CMNG: 35724859,4,"0404040404040404040404040404040404040404040404040404040404040404"
%CMNG: 35724861,3,"0303030303030303030303030303030303030303030303030303030303030303"
%CMNG: 35724861,4,"0404040404040404040404040404040404040404040404040404040404040404"
%CMNG: 35724862,3,"0303030303030303030303030303030303030303030303030303030303030303"
%CMNG: 35724862,4,"0404040404040404040404040404040404040404040404040404040404040404"
%CMNG: 4294967293,10,"0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A"
%CMNG: 4294967292,11,"0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B"
OK

AT%CMNG=1,1
OK

    This is the certificate stored in the custom board. I have a certificate written in sec_tag 1 and I am currently in trouble.

    [10:05:37.543]收←◆*** Booting Zephyr OS build v2.4
[10:05:37.574]收←◆.99-ncs1  ***
The AT host sample started

[10:05:58.792]发→◇AT%CMNG=1
□
[10:05:58.804]收←◆%CMNG: 0,6,"0606060606060606060606060606060606060606060606060606060606060606"
%CMNG: 1,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 1,1,"0101010101010101010101010101010101010101010101010101010101010101"
%CMNG: 1,2,"0202020202020202020202020202020202020202020202020202020202020202"
%CMNG: 24,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 16842753,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 16842753,1,"0101010101010101010101010101010101010101010101010101010101010101"
%CMNG: 16842753,2,"0202020202020202020202020202020202020202020202020202020202020202"
OK

[10:06:23.139]发→◇AT%CMNG=1,1
□
[10:06:23.160]收←◆%CMNG: 1,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 1,1,"0101010101010101010101010101010101010101010101010101010101010101"
%CMNG: 1,2,"0202020202020202020202020202020202020202020202020202020202020202"
OK

[10:06:51.981]发→◇AT%CMNG=2,1,0
□
[10:06:52.004]收←◆%CMNG: 1,0,"0000000000000000000000000000000000000000000000000000000000000000","-----BEGIN CERTIFICATE-----MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsFADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXjca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qwIFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQmjgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUAA4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDIU5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUsN+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vvo/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpyrqXRfboQnoZsG4q5WTP468SQvvG5-----END CERTIFICATE-----"
OK

[10:06:56.235]发→◇AT%CMNG=2,1,1
□
[10:06:56.250]收←◆ERROR

[10:07:12.214]发→◇AT%CMNG=2,1,2
□
[10:07:12.233]收←◆ERROR

  • 0 in reply to xinjiang

    Hi!

    So after looking at the modem trace, we can see that the modem returns error code 102 which means "Certification parse error".

    In this case, you are using the certificate in sec_tag = 1 to open the TLS session, but it looks like certificate type 1 (i.e client certificate) is tried to load instead of root CA.

    You need to make sure that the correct type of certificates are stored in the modem filesystem.

    And make sure that the certificate is valid and stored in the correct format in the modem. I.e check that there isn't a client certificated stored with type "Root CA Certificate". 

    Best regards,

    Heidi

  • 0 in reply to Heidi

    Which modem trace? "normal" DK trace?

    "Normal" DK does not store certificates in sec_tag 1, why can it do TLS connection?

    I.e check that there isn't a client certificated stored with type "Root CA Certificate". 

    Do you mean to store Root CA in certificate type 1 and sec_tag 1?

    I followed this method, but it didn’t solve the problem .

Related
Terms of service