Azure IoT Hub Library with OpenThread

The answer, from a reply I made down below:
I was using the default interface to do my DNS requests and connections to the network outside the Thread network. This was fixed when I configured my IPv6 address as "CONFIG_NET_CONFIG_MY_IPV6_ADDR="fd3f:76ab:550:1:2a9d:e83a:3e:84a7""
I was using my mesh local address instead of my localaddress. Mesh Local can only talk to mesh local prefix addresses. With the correct interface I was able to do DNS requests and connections to NAT64 mapped ipv6 addresses

We can configure the NAT64 address as DNS Server.

The Azure IoT Hub library can be used, the azure_iot_hub.c function broker_init needs to be rewritten to resolve to ipv6 addresses.

I also added SNTP to the project, I did remember from a ESP32 project, MBedTLS would need it. Since we don't have an IPv6 network at home/work. I also had to find NTP servers with only IPv4 addresses so the NAT64 would translate them. Setting the server "eu.pool.ntp.org" in "nrf\lib\date_time\date_time_ntp.c" worked perfectly.

And using the correct MBedTLS config we can create tls connections to the Azure IoT Hub. Here we need to enable the CBC ciphers in MBedTLS so we can use the cipher "MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256".

The same is true for using the Azure IoT Hub DPS. After fiddling with my certificates, I got that working.

Thanks everyone for your help!

Hi fhfs,

When you say "enable the CBC ciphers in MBedTLS so we can use the cipher "MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" " in your answer, would you mind sharing the prj settings you used to do so? Also, I am guessing that you are using the new Connect SDK v2.0.0? I see TCP messages to/from my Azure IoT Hub and Thread node using the Wireshark sniffer dongle, but get a -22 error during mqtt_connect(). I think that this might be the issue.

In case it helps anyone, I have been able to retain the getaddrinfo() function as my DNS resolver in azure_iot_hub.c's broker_init() by setting the following in my prj.conf. It provides the same ipv4 address that I get if I run "nslookup my.hostname.here.net 8.8.8.8" on my PC. (8.8.8.8 is Google's public DNS) As you mention, this requires conversion from the returned ipv4 address to ipv6 in broker_init() so that broker4 has the right ipv6 address since we're using OpenThread.

# DNS Settings
CONFIG_DNS_RESOLVER=y
CONFIG_DNS_SERVER_IP_ADDRESSES=y
CONFIG_DNS_SERVER1="64:ff9b::0808:0808"

I copied this from a MBedTLS config for Azure IoT Hub and modified some defines.

/*! Size optimized TLS config to connect to Azure IoT Hub using RSA X.509 Certificates */

/* Platform has time function to provide time for certificates verifications */
// #ifndef TOOLCHAIN_ARM // Please set to 1 if you are using secure time
#ifndef MBEDTLS_HAVE_TIME
#define MBEDTLS_HAVE_TIME
#endif // MBEDTLS_HAVE_TIME

#ifndef MBEDTLS_HAVE_TIME_DATE
#define MBEDTLS_HAVE_TIME_DATE
#endif // MBEDTLS_HAVE_TIME_DATE

#ifndef MBEDTLS_PLATFORM_TIME_ALT
#define MBEDTLS_PLATFORM_TIME_ALT
#endif // MBEDTLS_PLATFORM_TIME_ALT

/* System support */
#ifndef MBEDTLS_HAVE_ASM
#define MBEDTLS_HAVE_ASM
#endif // MBEDTLS_HAVE_ASM
// #endif
/* mbed TLS feature support */
#ifndef MBEDTLS_ECP_DP_SECP256R1_ENABLED
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
#endif // MBEDTLS_ECP_DP_SECP256R1_ENABLED

#ifndef MBEDTLS_ECP_NIST_OPTIM
#define MBEDTLS_ECP_NIST_OPTIM
#endif // MBEDTLS_ECP_NIST_OPTIM

#ifndef MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
#endif // MBEDTLS_SSL_MAX_FRAGMENT_LENGTH

#ifndef MBEDTLS_SSL_PROTO_TLS1_2
#define MBEDTLS_SSL_PROTO_TLS1_2
#endif // MBEDTLS_SSL_PROTO_TLS1_2

#ifndef MBEDTLS_SSL_EXPORT_KEYS
#define MBEDTLS_SSL_EXPORT_KEYS
#endif // MBEDTLS_SSL_EXPORT_KEYS

/* mbed TLS modules */
#ifndef MBEDTLS_AES_C
#define MBEDTLS_AES_C
#endif // MBEDTLS_AES_C

/* Disable some of the speed optimizations on AES code to save
 * ~6200 bytes of ROM. According to comments on the mbedtls PR 394,
 * the speed on Cortex M4 is not even reduced by this. */
#ifndef MBEDTLS_AES_FEWER_TABLES
#define MBEDTLS_AES_FEWER_TABLES
#endif // MBEDTLS_AES_FEWER_TABLES

#ifndef MBEDTLS_BIGNUM_C
#define MBEDTLS_BIGNUM_C
#endif // MBEDTLS_BIGNUM_C

#ifndef MBEDTLS_CIPHER_C
#define MBEDTLS_CIPHER_C
#endif // MBEDTLS_CIPHER_C

#ifndef MBEDTLS_CTR_DRBG_C
#define MBEDTLS_CTR_DRBG_C
#endif // MBEDTLS_CTR_DRBG_C

#ifndef MBEDTLS_ECP_C
#define MBEDTLS_ECP_C
#endif // MBEDTLS_ECP_C

#ifndef MBEDTLS_ENTROPY_C
#define MBEDTLS_ENTROPY_C
#endif // MBEDTLS_ENTROPY_C

#ifndef MBEDTLS_MD_C
#define MBEDTLS_MD_C
#endif // MBEDTLS_MD_C

#ifndef MBEDTLS_OID_C
#define MBEDTLS_OID_C
#endif // MBEDTLS_OID_C

#ifndef MBEDTLS_PK_C
#define MBEDTLS_PK_C
#endif // MBEDTLS_PK_C

#ifndef MBEDTLS_PK_PARSE_C
#define MBEDTLS_PK_PARSE_C
#endif // MBEDTLS_PK_PARSE_C

#ifndef MBEDTLS_SHA256_C
#define MBEDTLS_SHA256_C
#endif // MBEDTLS_SHA256_C

// Disable the speed optimizations of SHA256, makes binary size smaller
// on Cortex-M by 1800B with ARMCC5 and 1384B with GCC 6.3.
#ifndef MBEDTLS_SHA256_SMALLER
#define MBEDTLS_SHA256_SMALLER
#endif // MBEDTLS_SHA256_SMALLER

#ifndef MBEDTLS_SSL_COOKIE_C
#define MBEDTLS_SSL_COOKIE_C
#endif // MBEDTLS_SSL_COOKIE_C

#ifndef MBEDTLS_SSL_CLI_C
#define MBEDTLS_SSL_CLI_C
#endif // MBEDTLS_SSL_CLI_C

#ifndef MBEDTLS_SSL_TLS_C
#define MBEDTLS_SSL_TLS_C
#endif // MBEDTLS_SSL_TLS_C
// XXX mbedclient needs these: mbedtls_x509_crt_free, mbedtls_x509_crt_init, mbedtls_x509_crt_parse
#ifndef MBEDTLS_X509_USE_C
#define MBEDTLS_X509_USE_C
#endif // MBEDTLS_X509_USE_C

#ifndef MBEDTLS_X509_CRT_PARSE_C
#define MBEDTLS_X509_CRT_PARSE_C
#endif // MBEDTLS_X509_CRT_PARSE_C
// a bit wrong way to get mbedtls_ssl_conf_psk:
#ifndef MBEDTLS_CMAC_C
#define MBEDTLS_CMAC_C
#endif // MBEDTLS_CMAC_C

#ifndef MBEDTLS_ECDH_C
#define MBEDTLS_ECDH_C
#endif // MBEDTLS_ECDH_C

#ifndef MBEDTLS_ECDSA_C
#define MBEDTLS_ECDSA_C
#endif // MBEDTLS_ECDSA_C

#ifndef MBEDTLS_GCM_C
#define MBEDTLS_GCM_C
#endif // MBEDTLS_GCM_C

#ifndef MBEDTLS_CIPHER_MODE_CBC
#define MBEDTLS_CIPHER_MODE_CBC
#endif // MBEDTLS_CIPHER_MODE_CBC

#ifndef MBEDTLS_X509_CRT_PARSE_C
#define MBEDTLS_X509_CRT_PARSE_C
#endif // MBEDTLS_X509_CRT_PARSE_C

#ifndef MBEDTLS_X509_CSR_PARSE_C
#define MBEDTLS_X509_CSR_PARSE_C
#endif // MBEDTLS_X509_CSR_PARSE_C

#ifndef MBEDTLS_SHA1_C
#define MBEDTLS_SHA1_C
#endif

// /*! All of the following definitions are optimizations (reduce mbedTLS memory usage and size),
// *   changing them is on the user responsibility since they can enlarge
// *   the binary footprint and the memory usage
// */

// define to save 8KB RAM at the expense of ROM
#ifndef MBEDTLS_AES_ROM_TABLES
#define MBEDTLS_AES_ROM_TABLES
#endif // MBEDTLS_AES_ROM_TABLES

// Reduce IO buffer to save RAM, default is 16KB
#ifndef MBEDTLS_SSL_MAX_CONTENT_LEN
#define MBEDTLS_SSL_MAX_CONTENT_LEN (10 * 1024)
#endif // MBEDTLS_SSL_MAX_CONTENT_LEN

// Multiple Precision Integers when using RSA can be smaller
#define MBEDTLS_MPI_MAX_SIZE 512
#define MBEDTLS_MPI_WINDOW_SIZE 1

#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
#define MBEDTLS_DEBUG
#define MBEDTLS_DEBUG_C
#define MBEDTLS_DEBUG_LEVEL 4
#define CONFIG_MBEDTLS_DEBUG_LEVEL 0

// certificate must fit into one message, fragmenting is not supported
#undef MBEDTLS_SSL_IN_CONTENT_LEN
#undef MBEDTLS_SSL_OUT_CONTENT_LEN
#define MBEDTLS_SSL_IN_CONTENT_LEN 4096
#define MBEDTLS_SSL_OUT_CONTENT_LEN 4096

// Remove error messages, save 10KB of ROM
// #undef MBEDTLS_ERROR_C

// Remove selftesting and save 11KB of ROM
#undef MBEDTLS_SELF_TEST

#undef MBEDTLS_CERTS_C

// Reduces ROM size by 30 kB
#undef MBEDTLS_ERROR_STRERROR_DUMMY

#undef MBEDTLS_VERSION_FEATURES

// You can disable debug as long as you disable MBED_CONF_TLS_SOCKET_DEBUG_LEVEL
// #undef MBEDTLS_DEBUG_C

#undef MBEDTLS_SHA512_C

#undef MBEDTLS_SSL_SRV_C

#undef MBEDTLS_ECP_DP_SECP192R1_ENABLED
#undef MBEDTLS_ECP_DP_SECP224R1_ENABLED
#undef MBEDTLS_ECP_DP_SECP384R1_ENABLED
#undef MBEDTLS_ECP_DP_SECP521R1_ENABLED
#undef MBEDTLS_ECP_DP_SECP192K1_ENABLED
#undef MBEDTLS_ECP_DP_SECP224K1_ENABLED
#undef MBEDTLS_ECP_DP_SECP256K1_ENABLED
#undef MBEDTLS_ECP_DP_BP256R1_ENABLED
#undef MBEDTLS_ECP_DP_BP384R1_ENABLED
#undef MBEDTLS_ECP_DP_BP512R1_ENABLED
#undef MBEDTLS_ECP_DP_CURVE25519_ENABLED

// Reduces size particularly in case PSA crypto is used
#undef MBEDTLS_CHACHA20_C
#undef MBEDTLS_CHACHAPOLY_C
#undef MBEDTLS_POLY1305_C

the define to enable CBC is "#define MBEDTLS_CIPHER_MODE_CBC"

I put these defines in nrf-config-user-empty.h not sure where else to put these defines, or where the proper place for them is.

MBedTLS related prj.conf:

CONFIG_MAIN_STACK_SIZE=4096
CONFIG_NET_BUF_RX_COUNT=100
CONFIG_NET_BUF_TX_COUNT=100

# mbedTLS tweaks
CONFIG_MBEDTLS_DEBUG_C=y
CONFIG_MBEDTLS_DEBUG=y
CONFIG_MBEDTLS_DEBUG_LEVEL=0
# Also see nrf-config-user-empty.h

# TLS configuration
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_BUILTIN=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=60000
# certificate must fit into one message, fragmenting is not supported
CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=10240
CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
CONFIG_MBEDTLS_ECDSA_C=y
CONFIG_MBEDTLS_SHA256_C=y
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_AES_C=y
CONFIG_MBEDTLS_PKCS1_V21=y

CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=4
CONFIG_NET_SOCKETS_ENABLE_DTLS=n
CONFIG_POSIX_MAX_FDS=8

CONFIG_TLS_CREDENTIALS=y
CONFIG_TLS_MAX_CREDENTIALS_NUMBER=4

# CONFIG_GENERATE_MBEDTLS_CFG_FILE=n # nrf-config.h: No such file or directory

Goodluck!

Hi fhfs 

would you mind to share a working example I can build on?

Best

Sebastian