MQTT with TLS on AWS EC2

We put more log messages in the code (mainly in mqtt.c and mqtt_transport_socket_tls.c) and found that there is an error when calling the zsock_connect funcation.  After that an error when calling the mqtt_transport_connect function.  And finally the mqtt_connect -95 error.

flau said:

Does Trace Collector v2 work on custom board, or nRF9160DK only? 

It should work for any boards that has a serial port.

flau said:

We put more log messages in the code (mainly in mqtt.c and mqtt_transport_socket_tls.c) and found that there is an error when calling the zsock_connect funcation.  After that an error when calling the mqtt_transport_connect function.  And finally the mqtt_connect -95 error.

Yes, that's where it comes from. But to know why, we need to inspect the traffic between the modem and the server.

Hello, I'm working with flau on this problem. 

nrf9160_error95_trace.pcapng This is the trace of the modem when it receives the 'mqtt_connect -95' error. 

And from the server side the broker outputs: 

OpenSSL Error: error:1408A0C1:SSL routines: ssl3_get_client_hello:no shared cipher

I ran another trace while connecting successfully to the broker using mosquitto_sub command on powershell and when looking at the trace I get a 'Server Hello' with Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) which isn't supported based on https://www.nordicsemi.com/Products/nRF9160/Download#infotabs. 

I tried restarting the broker with a cipher that's available in both the mosquitto_sub and nrf modem cipher suite by adding 'ciphers ECDHE-ECDSA-AES128-SHA256' to the mosquitto.conf but then i got the no shared cipher message when using mosquitto_sub. I'm not really sure where to go from here. 

leo_nam said:

I tried restarting the broker with a cipher that's available in both the mosquitto_sub and nrf modem cipher suite by adding 'ciphers ECDHE-ECDSA-AES128-SHA256' to the mosquitto.conf but then i got the no shared cipher message when using mosquitto_sub. I'm not really sure where to go from here

Were you able to connect to the broker with the nRF9160 after changing the cipher suite of the broker?

I was unable to connect to the broker with the nRF9160. 

We are running modem firmware v1.3.1.  I suppose that means we have 15 different cipher suites to choose from.  Am I correct?

If we change the cipher suite of our broker to match with one that is available with the nRF9160, what else do we need to do other than restart the broker?  Do we need to generate a new sets of certificates, etc.?  

If we set tls_cfg->cipher_count = 0 and tls_cfg->cipher_list = NULL, does it mean the modem will not use any of the 15 cipher suites?

We are running modem firmware v1.3.1.  I suppose that means we have 15 different cipher suites to choose from.  Am I correct?

If we change the cipher suite of our broker to match with one that is available with the nRF9160, what else do we need to do other than restart the broker?  Do we need to generate a new sets of certificates, etc.?  

If we set tls_cfg->cipher_count = 0 and tls_cfg->cipher_list = NULL, does it mean the modem will not use any of the 15 cipher suites?

Do you set the hostname in the tls_config struct?

Your server/AWS probably requires SNI support to route the packets correctly. You enable SNI by adding the hostname in the tls_config struct.

flau said:

If we set tls_cfg->cipher_count = 0 and tls_cfg->cipher_list = NULL, does it mean the modem will not use any of the 15 cipher suites?

If the cipher_count is 0, those fields are ignored, and the stack will use all supported cipher suites.