• State Suggested Answer
  • Replies 17 replies
  • Answers 1 answer
  • Subscribers 75 subscribers
  • Views 3830 views
  • Users 0 members are here
Attachments (4) Download All
Nordic Case Info
  • Case ID: 288517
Options

MQTT with TLS on AWS EC2

flau

Hi,

We have our own MQTT broker setup with TLS running on a AWS EC2 cloud service.  I am building my code based on the MQTT_SIMPLE example.  I have only a CA certificate in the certificates.h file.  There is no client private key and no client public certificate.  SEC_TAG is set to 2840.  Port is set to 8883.  Below is the terminal output.  IP address was resolved correctly.  Unfornately, I wasn't able to connect to our MQTT broker.  I kept getting error code 95.

[00:00:00.266,235] <inf> MQTT_SIMPLE: MQTT started
[00:00:00.271,270] <inf> MQTT_SIMPLE: Provisioning certificates
[00:00:00.428,375] <inf> MQTT_SIMPLE: Disabling PSM and eDRX
[00:00:00.439,147] <inf> MQTT_SIMPLE: LTE Link Connecting
[00:00:15.602,569] <inf> MQTT_SIMPLE: LTE Link Connected
[00:00:17.040,008] <inf> MQTT_SIMPLE: IPv4 Address found xxx.xxx.215.238
[00:00:17.047,363] <inf> MQTT_SIMPLE: TLS enabled
[00:00:17.707,611] <err> MQTT_SIMPLE: mqtt_connect -95
[00:00:17.713,256] <inf> MQTT_SIMPLE: Reconnecting in 30 seconds
[00:00:48.585,479] <err> MQTT_SIMPLE: mqtt_connect -95
[00:00:48.591,125] <inf> MQTT_SIMPLE: Reconnecting in 30 seconds
[00:01:19.484,619] <err> MQTT_SIMPLE: mqtt_connect -95
[00:01:19.490,264] <inf> MQTT_SIMPLE: Reconnecting in 30 seconds

The same code was able to connect with test.mosquitto.org with its mosquitto.org.crt (PEM format) and port 8883.  Am I missing anything?  What have I done wrong?

By the way, I am using SDK 1.8.0.

Parents Reply Children
  • 0 in reply to flau
    flau said:
    Does Trace Collector v2 work on custom board, or nRF9160DK only? 

    It should work for any boards that has a serial port.

    flau said:
    We put more log messages in the code (mainly in mqtt.c and mqtt_transport_socket_tls.c) and found that there is an error when calling the zsock_connect funcation.  After that an error when calling the mqtt_transport_connect function.  And finally the mqtt_connect -95 error.

    Yes, that's where it comes from. But to know why, we need to inspect the traffic between the modem and the server.

  • 0 in reply to Didrik Rokhaug

    Hello, I'm working with flau on this problem. 

    nrf9160_error95_trace.pcapng This is the trace of the modem when it receives the 'mqtt_connect -95' error. 

    And from the server side the broker outputs: 

    OpenSSL Error: error:1408A0C1:SSL routines: ssl3_get_client_hello:no shared cipher

    I ran another trace while connecting successfully to the broker using mosquitto_sub command on powershell and when looking at the trace I get a 'Server Hello' with Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) which isn't supported based on https://www.nordicsemi.com/Products/nRF9160/Download#infotabs

    I tried restarting the broker with a cipher that's available in both the mosquitto_sub and nrf modem cipher suite by adding 'ciphers ECDHE-ECDSA-AES128-SHA256' to the mosquitto.conf but then i got the no shared cipher message when using mosquitto_sub. I'm not really sure where to go from here. 

  • 0 in reply to leo_nam
    leo_nam said:
    I tried restarting the broker with a cipher that's available in both the mosquitto_sub and nrf modem cipher suite by adding 'ciphers ECDHE-ECDSA-AES128-SHA256' to the mosquitto.conf but then i got the no shared cipher message when using mosquitto_sub. I'm not really sure where to go from here

    Were you able to connect to the broker with the nRF9160 after changing the cipher suite of the broker?

  • 0 in reply to Didrik Rokhaug

    I was unable to connect to the broker with the nRF9160. 

  • 0 in reply to Didrik Rokhaug

    We are running modem firmware v1.3.1.  I suppose that means we have 15 different cipher suites to choose from.  Am I correct?

    If we change the cipher suite of our broker to match with one that is available with the nRF9160, what else do we need to do other than restart the broker?  Do we need to generate a new sets of certificates, etc.?  

    If we set tls_cfg->cipher_count = 0 and tls_cfg->cipher_list = NULL, does it mean the modem will not use any of the 15 cipher suites?

Related
Terms of service