Error -22 in mqtt_connect() - nRF52840dk with Azure IoT Hub using OpenThread and TCP

I am attempting to connect a nRF52840dk to Azure IoT Hub using OpenThread and TCP. I combined the azure_iot_hub and azure_fota samples into one project, which ran successfully on an nRF9160dk using Connect SDK v1.9.1. I have modified that project for a nRF52840dk, OpenThread, TCP, and Connect SDK 2.0.0. I think that I am close, but I am getting error -22 ("invalid argument") in azure_iot_hub.c's mqtt_connect().

Wireshark capture using nRF sniffer:

Serial output (I added the "Error in zsock_connect!" log in mqtt_transport_socket_tls.c):

I've repurposed CONFIG_AZURE_IOT_HUB_STATIC_IPV4 to be an ipv6 address as seen in my prj further below. The getaddrinfo() DNS resolver is working, but I'd have to add a conversion from the returned ipv4 to ipv6 and I'd prefer to bypass that for now unless this is causing the issue. In azure_iot_hub.c's broket_init(), I changed &broker to &broker4 to resolve an error and made some other updates to switch from ipv4 to ipv6. These are the only changes I made in azure_iot_hub.c. The IoT Hub setup is kicked off in main() via err = azure_iot_hub_connect();

#if defined(CONFIG_AZURE_IOT_HUB_STATIC_IPV4)
static int broker_init(bool dps)
{
	//TB changed sockaddr's from sockaddr_in to sockaddr_in6
	struct sockaddr_in6 *broker4 =
		((struct sockaddr_in6 *)&broker);

	//TB changed "AF_INET" to "AF_INET6" twice and "&broker" to "&broker4" on 7/20/22
	inet_pton(AF_INET6, CONFIG_AZURE_IOT_HUB_STATIC_IPV4_ADDR,
		  &broker4->sin6_addr);//&broker->sin_addr);
	broker4->sin6_family = AF_INET6;
	broker4->sin6_port = htons(CONFIG_AZURE_IOT_HUB_PORT);

	//TB added:
	char ipv6_addr[NET_IPV6_ADDR_LEN];
	inet_ntop(AF_INET6, &broker4->sin6_addr.s6_addr, ipv6_addr,
				  sizeof(ipv6_addr));
	LOG_DBG("IPv6 address set in broker_init to %s", log_strdup(ipv6_addr));

	return 0;
}

prj.conf:

#
# Copyright (c) 2020 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#
# General config
CONFIG_REBOOT=y
CONFIG_DEBUG=y

# Heap and stacks
CONFIG_HEAP_MEM_POOL_SIZE=6144
CONFIG_MAIN_STACK_SIZE=8192

# Log
CONFIG_LOG=y
CONFIG_PRINTK=y
CONFIG_SERIAL=y
CONFIG_CONSOLE=y
CONFIG_UART_CONSOLE=y
CONFIG_LOG_BACKEND_UART=y
CONFIG_LOG_PROCESS_THREAD=y
CONFIG_LOG_MODE_IMMEDIATE=y
CONFIG_LOG_STRDUP_MAX_STRING=128
CONFIG_LOG_STRDUP_BUF_COUNT=50
CONFIG_LOG_PROCESS_THREAD_STACK_SIZE=8096

##### booting and bootloader #####
CONFIG_BOOT_DELAY=1000
CONFIG_BOOT_BANNER=y
CONFIG_BOOTLOADER_MCUBOOT=y

##### DFU #####
CONFIG_DFU_TARGET=y
CONFIG_DFU_TARGET_MCUBOOT=y
CONFIG_IMG_MANAGER=y
CONFIG_MCUBOOT_IMG_MANAGER=y
CONFIG_IMG_ERASE_PROGRESSIVELY=y

##### for external flash support ####
CONFIG_NORDIC_QSPI_NOR=y
CONFIG_NORDIC_QSPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096
CONFIG_NORDIC_QSPI_NOR_STACK_WRITE_BUFFER_SIZE=16
CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY=y

##### FLASH #####
CONFIG_FLASH=y
CONFIG_FLASH_MAP=y
CONFIG_STREAM_FLASH=y
CONFIG_STREAM_FLASH_ERASE=y
CONFIG_FLASH_PAGE_LAYOUT=y

CONFIG_MPU_ALLOW_FLASH_WRITE=y

# LED control
CONFIG_DK_LIBRARY=y
#CONFIG_DK_LIBRARY_INVERT_LEDS=n #not available in v2.0.0

#Openthread
CONFIG_OPENTHREAD_JOINER=y
CONFIG_NET_L2_OPENTHREAD=y
CONFIG_OPENTHREAD_SHELL=n
CONFIG_OPENTHREAD_CUSTOM_PARAMETERS="OPENTHREAD_CONFIG_JOINER_ENABLE=1"
CONFIG_OPENTHREAD_JOINER_AUTOSTART=y
CONFIG_OPENTHREAD_JOINER_PSKD="J01NME"
CONFIG_OPENTHREAD_THREAD_VERSION_1_2=y
#CONFIG_MBEDTLS_SHA1_C=n #TB commented
CONFIG_FPU=y

# TLS configuration #TB commented
#CONFIG_MBEDTLS_ENABLE_HEAP=y
#CONFIG_MBEDTLS_HEAP_SIZE=10240
#CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2048
#CONFIG_MBEDTLS=y
#CONFIG_MBEDTLS_BUILTIN=n
#CONFIG_MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED=y
#CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
#CONFIG_NET_SOCKETS_SOCKOPT_TLS=y

##### OPENTHREAD #####
CONFIG_OPENTHREAD_NORDIC_LIBRARY_MASTER=y
CONFIG_OPENTHREAD_FTD=n
CONFIG_OPENTHREAD_MTD=y
CONFIG_OPENTHREAD_MTD_SED=n
CONFIG_OPENTHREAD_THREAD_STACK_SIZE=10240
CONFIG_OPENTHREAD_DEBUG=y
CONFIG_OPENTHREAD_L2_DEBUG=y
CONFIG_OPENTHREAD_MANUAL_START=y
# Enable Thread 1.2 features
CONFIG_OPENTHREAD_THREAD_VERSION_1_2=y
CONFIG_OPENTHREAD_DUA=y
CONFIG_OPENTHREAD_MLR=y
CONFIG_OPENTHREAD_BACKBONE_ROUTER=y
CONFIG_OPENTHREAD_LINK_METRICS_INITIATOR=y
CONFIG_OPENTHREAD_LINK_METRICS_SUBJECT=y
CONFIG_OPENTHREAD_CSL_RECEIVER=y


# Network
CONFIG_NETWORKING=y
CONFIG_NET_L2_OPENTHREAD=y
CONFIG_NET_IPV6_NBR_CACHE=n
CONFIG_NET_IPV6_MLD=n
# CONFIG_NET_RAW_MODE=n
CONFIG_NET_IPV6=y
CONFIG_NET_IPV4=n
CONFIG_NET_CONFIG_NEED_IPV4=n
CONFIG_NET_CONFIG_NEED_IPV6=y
# Network sockets
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y
CONFIG_NET_SOCKETS_POLL_MAX=4
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=2
# Enable TCP support
CONFIG_NET_TCP=y # Required for SOCKET STREAM
#CONFIG_NET_UDP=y # Testing UDP connection #TB commented
CONFIG_OPENTHREAD_TCP_ENABLE=n
#^from https://github.com/openthread/openthread/discussions/7784

# disable external crystal
CONFIG_CLOCK_CONTROL_NRF_K32SRC_XTAL=n
# enable synth crystal for powered devices
CONFIG_CLOCK_CONTROL_NRF_K32SRC_SYNTH=y
# enable RC crystal for battery devices
# CONFIG_CLOCK_CONTROL_NRF_K32SRC_RC is not set
#^from https://github.com/openthread/openthread/discussions/7784

CONFIG_NET_PKT_RX_COUNT=8
CONFIG_NET_PKT_TX_COUNT=8
CONFIG_NET_BUF_RX_COUNT=32
CONFIG_NET_BUF_TX_COUNT=32
#^from https://github.com/openthread/openthread/discussions/7784

# Network buffers
#CONFIG_NET_PKT_RX_COUNT=10
#CONFIG_NET_PKT_TX_COUNT=16
#CONFIG_NET_BUF_RX_COUNT=16
#CONFIG_NET_BUF_TX_COUNT=16
#^old values

# Kernel options
CONFIG_INIT_STACKS=y

# Increase set for threads with meta-irq priority
CONFIG_NUM_METAIRQ_PRIORITIES=1

# Logging
CONFIG_NET_LOG=y   #POWERSAVING

# Disable certain parts of Zephyr IPv6 stack
CONFIG_NET_IPV6_NBR_CACHE=n
CONFIG_NET_IPV6_MLD=n

# Stack sizes configuration
CONFIG_NET_TX_STACK_SIZE=1200
CONFIG_NET_RX_STACK_SIZE=1500
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096

# L2 OpenThread enabling
CONFIG_OPENTHREAD_L2_LOG_LEVEL_INF=y

# Enable ping sender support
CONFIG_OPENTHREAD_PING_SENDER=y


# Configure dependencies
CONFIG_NRF_802154_ENCRYPTION=y
CONFIG_IEEE802154_2015=y
CONFIG_IEEE802154_CSL_ENDPOINT=y
CONFIG_NET_PKT_TXTIME=y
CONFIG_NET_PKT_TIMESTAMP=y
CONFIG_OPENTHREAD_MAC_SOFTWARE_TX_SECURITY_ENABLE=n

# CSL configuration
CONFIG_OPENTHREAD_CSL_RECEIVE_TIME_AHEAD=3000
CONFIG_OPENTHREAD_CSL_MIN_RECEIVE_ON=300


# Azure IoT Hub library
CONFIG_AZURE_IOT_HUB=y
CONFIG_AZURE_IOT_HUB_DEVICE_ID="mynrf52840dk"
# Host name must be configured if DPS is not used
CONFIG_AZURE_IOT_HUB_HOSTNAME="my-iot-hub.azure-devices.net"
# Change the security tag to the tag where relevant certificates are provisioned
CONFIG_AZURE_IOT_HUB_SEC_TAG=42
# Uncomment to get more verbose logging when debugging
CONFIG_AZURE_IOT_HUB_LOG_LEVEL_DBG=y
CONFIG_AZURE_IOT_HUB_LOG_LEVEL_WRN=y
#Use manual certificates
CONFIG_USE_MANUAL_IOTHUB_CERTS=y
CONFIG_AZURE_IOT_HUB_PROVISION_CERTIFICATES=y
CONFIG_AZURE_IOT_HUB_STATIC_IPV4=y
CONFIG_AZURE_IOT_HUB_STATIC_IPV4_ADDR="64:ff9b::myio:thub"
CONFIG_AZURE_IOT_HUB_NATIVE_TLS=n
#CONFIG_AZURE_IOT_HUB_CERTIFICATES_FILE keep = default

# Azure FOTA
# Download Client
CONFIG_DOWNLOAD_CLIENT=y
CONFIG_DOWNLOAD_CLIENT_HTTP_FRAG_SIZE_1024=y
CONFIG_DOWNLOAD_CLIENT_STACK_SIZE=4096
CONFIG_DOWNLOAD_CLIENT_LOG_LEVEL_INF=y
CONFIG_DOWNLOAD_CLIENT_BUF_SIZE=2300
# DFU Target
CONFIG_DFU_TARGET=y
# Application update support
CONFIG_BOOTLOADER_MCUBOOT=y
# Image manager
CONFIG_IMG_MANAGER=y
CONFIG_IMG_ERASE_PROGRESSIVELY=y
# FOTA Download
CONFIG_FOTA_DOWNLOAD=y
CONFIG_FOTA_DOWNLOAD_PROGRESS_EVT=y

# Azure FOTA
CONFIG_CJSON_LIB=y
#CONFIG_ZEPHYR_CJSON_MODULE=y
CONFIG_AZURE_FOTA=y
CONFIG_AZURE_FOTA_APP_VERSION_AUTO=y
CONFIG_AZURE_FOTA_TLS=y
CONFIG_FW_INFO=y
# Change the security tag to the tag where the certificates are provisioned
# for the server where the FOTA image is hosted
CONFIG_AZURE_FOTA_SEC_TAG=42
# Uncomment the below line to get more debug logging
# CONFIG_AZURE_FOTA_LOG_LEVEL_DBG=y

CONFIG_NEWLIB_LIBC_FLOAT_PRINTF=y
CONFIG_NEWLIB_LIBC=y
CONFIG_EXTERNAL_LIBC=n
CONFIG_CJSON_LIB=y

CONFIG_NORDIC_SECURITY_BACKEND=y
CONFIG_NRF_SECURITY=y 
CONFIG_MBEDTLS_BUILTIN=n

CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_CFG_FILE="config-tls-generic.h"
CONFIG_NET_TCP_ISN_RFC6528=n

CONFIG_OPENTHREAD_MBEDTLS_CHOICE=n

# Select OpenThread nRF Security backends
CONFIG_OPENTHREAD_NRF_SECURITY_CHOICE=n

# Generic networking options
CONFIG_NET_CONNECTION_MANAGER=n

CONFIG_NET_TCP_LOG_LEVEL_DBG=y
CONFIG_LOG_STRDUP_BUF_COUNT=20

# DNS Settings
CONFIG_DNS_RESOLVER=y
CONFIG_DNS_SERVER_IP_ADDRESSES=y
CONFIG_DNS_SERVER1="64:ff9b::0808:0808"
#CONFIG_OPENTHREAD_DNS_CLIENT=y

CONFIG_MBEDTLS_CIPHER_MODE_CBC=y

Certificate format:

"-----BEGIN CA CERTIFICATE-----\n"
"abcd+efgh\n"
"ijkl/mnop\n"
"-----END CA CERTIFICATE-----\n"

"-----BEGIN CLIENT CERTIFICATE-----\n"
"abcd+efgh\n"
"ijkl/mnop\n"
"-----END CLIENT CERTIFICATE-----\n"

"-----BEGIN PRIVATE KEY-----\n"
"abcd+efgh\n"
"ijkl/mnop\n"
"-----END PRIVATE KEY-----\n"

Per this DevZone ticket and this Microsoft documentation, maybe I am missing something with the CBC ciphers and MBedTLS? TCP messages appear to be going back and forth between the IoT Hub MQTT and my OpenThread end device in the Wireshark sniffer trace, so hopefully I am close to the finish line. Thank you in advance for the assistance.

Parents
  • Yesterday, I switched my focus from the echo client/server sample back to my Azure IoT Hub project. I also switched from v2.0.2 to v1.9.1 of the Connect SDK. After this change, my thread node (nRF52840dk board) is now initiating the TLS handshake with a "Client Hello" message. I receive a -113 mqtt_connect error and -7280 TLS handshake error, but this is more progress than I had seen with v2.0.2 of the SDK. I thought I'd share in case this helps with the troubleshooting.

  • Hi,

    Sigurd is out of office for two weeks, so I will handle your ticket in the meantime.

    The developers were able to force TLS handshake to happen with the usage of the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite. They also adapted the certificates to ECDSA certificates since the echo samples came with RSA only certificates: https://github.com/zephyrproject-rtos/zephyr/compare/main...edmont:zephyr:dev/thread-with-tls

    Please let me know if this is enough reference for you.

    The developers also noted that it is worth taking a look at this sample: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/crypto/psa_tls/README.html

    Best regards,

    Marte

  • Thank you for looking into the echo client/server example - I am glad to hear that it is working with that cipher suite. I will take a look at the documentation you provided.

    Next, could you and the developers please help me resolve the errors that I am experiencing with Azure IoT Hub using OpenThread v1.2 and TLSv1.2? (This was the original error that I hoped to resolve in this DevZone case)

    As you can see in my previous post (on 9/1/22), the TLSv1.2 handshake begins with the "Client hello" but the server immediately closes the connection in response. I suspect that it might be another cipher suite issue, but I am not certain of this. Thanks!

  • Hi  

    After looking at my cypher suites in more detail, I think that they are indeed causing my handshake error. My Azure IoT Hub is not configured for TLS 1.2 enforcement, so the list of allowable ciphers are below:

    ^ from Azure IoT Hub TLS support | Microsoft Docs

    The client's allowable cipher suites in the "Client hello" message and my relevant prj.conf settings are below:

    #MBEDTLS and security configuration 
    CONFIG_NORDIC_SECURITY_BACKEND=y
    CONFIG_NRF_SECURITY=y
    CONFIG_MBEDTLS_CFG_FILE="nrf-config-user-empty.h"
    #^ MBEDTLS settings added to support getting UTC time
    CONFIG_NET_TCP_ISN_RFC6528=n
    
    #MBEDTLS Configuration cont'd
    CONFIG_OPENTHREAD_MBEDTLS_CHOICE=n
    #^ y allows use of MBEDTLS_BUILTIN
    #^ n does not allow MBEDTLS_BUILTIN and uses NRF_SECURITY
    CONFIG_MBEDTLS_TLS_VERSION_1_2=y
    #CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
    #CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED=y
    #CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED=y
    CONFIG_MBEDTLS_CIPHER_MODE_CBC_ENABLED=y
    #^from https://devzone.nordicsemi.com/f/nordic-q-a/86632/openthread-and-mqtt-over-tls-is-single-program
    
    CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=n
    CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED=y
    CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
    CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED=y
    CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y
    CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=n
    CONFIG_MBEDTLS_CIPHER_GCM_ENABLED=y
    
    #Following needed to set CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED=y
    CONFIG_MBEDTLS_DHM_C=y
    CONFIG_MBEDTLS_RSA_C=y
    CONFIG_MBEDTLS_X509_CRT_PARSE_C=y
    CONFIG_MBEDTLS_PKCS1_V15=y
    
    # TLS configuration
    CONFIG_MBEDTLS=y
    CONFIG_MBEDTLS_BUILTIN=n
    CONFIG_MBEDTLS_ENABLE_HEAP=y
    CONFIG_MBEDTLS_HEAP_SIZE=60000
    # certificate must fit into one message, fragmenting is not supported
    CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=10240
    #CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
    CONFIG_MBEDTLS_PK_WRITE_C=y
    CONFIG_MBEDTLS_CTR_DRBG_C=y
    CONFIG_MBEDTLS_ECDSA_C=y
    CONFIG_MBEDTLS_SHA256_C=y
    #CONFIG_MBEDTLS_RSA_C=y #defined above already
    CONFIG_MBEDTLS_AES_C=y
    CONFIG_MBEDTLS_PKCS1_V21=y
    #Credentials
    CONFIG_TLS_CREDENTIALS=y
    CONFIG_TLS_MAX_CREDENTIALS_NUMBER=4
    #^from https://devzone.nordicsemi.com/f/nordic-q-a/86933/azure-iot-hub-library-with-openthread/377915

    How can I enable the ciphers required by Azure IoT Hub? As you can see, I made some attempts in my prj.conf but they were unsuccessful.

Reply
  • Hi  

    After looking at my cypher suites in more detail, I think that they are indeed causing my handshake error. My Azure IoT Hub is not configured for TLS 1.2 enforcement, so the list of allowable ciphers are below:

    ^ from Azure IoT Hub TLS support | Microsoft Docs

    The client's allowable cipher suites in the "Client hello" message and my relevant prj.conf settings are below:

    #MBEDTLS and security configuration 
    CONFIG_NORDIC_SECURITY_BACKEND=y
    CONFIG_NRF_SECURITY=y
    CONFIG_MBEDTLS_CFG_FILE="nrf-config-user-empty.h"
    #^ MBEDTLS settings added to support getting UTC time
    CONFIG_NET_TCP_ISN_RFC6528=n
    
    #MBEDTLS Configuration cont'd
    CONFIG_OPENTHREAD_MBEDTLS_CHOICE=n
    #^ y allows use of MBEDTLS_BUILTIN
    #^ n does not allow MBEDTLS_BUILTIN and uses NRF_SECURITY
    CONFIG_MBEDTLS_TLS_VERSION_1_2=y
    #CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
    #CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED=y
    #CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED=y
    CONFIG_MBEDTLS_CIPHER_MODE_CBC_ENABLED=y
    #^from https://devzone.nordicsemi.com/f/nordic-q-a/86632/openthread-and-mqtt-over-tls-is-single-program
    
    CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=n
    CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED=y
    CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
    CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED=y
    CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y
    CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=n
    CONFIG_MBEDTLS_CIPHER_GCM_ENABLED=y
    
    #Following needed to set CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED=y
    CONFIG_MBEDTLS_DHM_C=y
    CONFIG_MBEDTLS_RSA_C=y
    CONFIG_MBEDTLS_X509_CRT_PARSE_C=y
    CONFIG_MBEDTLS_PKCS1_V15=y
    
    # TLS configuration
    CONFIG_MBEDTLS=y
    CONFIG_MBEDTLS_BUILTIN=n
    CONFIG_MBEDTLS_ENABLE_HEAP=y
    CONFIG_MBEDTLS_HEAP_SIZE=60000
    # certificate must fit into one message, fragmenting is not supported
    CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=10240
    #CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
    CONFIG_MBEDTLS_PK_WRITE_C=y
    CONFIG_MBEDTLS_CTR_DRBG_C=y
    CONFIG_MBEDTLS_ECDSA_C=y
    CONFIG_MBEDTLS_SHA256_C=y
    #CONFIG_MBEDTLS_RSA_C=y #defined above already
    CONFIG_MBEDTLS_AES_C=y
    CONFIG_MBEDTLS_PKCS1_V21=y
    #Credentials
    CONFIG_TLS_CREDENTIALS=y
    CONFIG_TLS_MAX_CREDENTIALS_NUMBER=4
    #^from https://devzone.nordicsemi.com/f/nordic-q-a/86933/azure-iot-hub-library-with-openthread/377915

    How can I enable the ciphers required by Azure IoT Hub? As you can see, I made some attempts in my prj.conf but they were unsuccessful.

Children
  • Hi,

    Do you see still see the same errors if you use the configurations I linked to in my previous reply (https://github.com/zephyrproject-rtos/zephyr/compare/main...edmont:zephyr:dev/thread-with-tls)? What you are asking about is exactly what the developers did there.

    Best regards,

    Marte

  • I have matched the configuration settings in that branch as closely as possible (see my prj.conf file's contents below). Using this configuration, I am still receiving a -22 connection failed error.

    When I use the slightly different configuration in my comment above, the TLS handshake at least begins with "Client hello." I was able to edit that configuration to use the proper cipher suites, but now the server will not send the "Server hello" reply.

    ### Match prj.conf from echo client ################################
    
    CONFIG_NETWORKING=y
    CONFIG_NET_UDP=y
    CONFIG_NET_TCP=y
    CONFIG_NET_IPV6=y
    CONFIG_NET_IPV4=y
    CONFIG_NET_SOCKETS=y
    CONFIG_NET_SOCKETS_POSIX_NAMES=y
    CONFIG_NET_SOCKETS_POLL_MAX=4
    CONFIG_NET_CONNECTION_MANAGER=y
    
    # Kernel options
    CONFIG_ENTROPY_GENERATOR=y
    CONFIG_TEST_RANDOM_GENERATOR=y
    CONFIG_INIT_STACKS=y
    
    # Logging
    CONFIG_NET_LOG=y
    CONFIG_LOG=y
    CONFIG_NET_STATISTICS=y
    CONFIG_PRINTK=y
    
    # Network buffers
    CONFIG_NET_PKT_RX_COUNT=16
    CONFIG_NET_PKT_TX_COUNT=16
    CONFIG_NET_BUF_RX_COUNT=80
    CONFIG_NET_BUF_TX_COUNT=80
    CONFIG_NET_CONTEXT_NET_PKT_POOL=y
    
    # IP address options
    CONFIG_NET_IF_UNICAST_IPV6_ADDR_COUNT=3
    CONFIG_NET_IF_MCAST_IPV6_ADDR_COUNT=4
    CONFIG_NET_MAX_CONTEXTS=10
    
    # Network shell
    CONFIG_NET_SHELL=y
    
    # The addresses are selected so that qemu<->qemu connectivity works ok.
    # For linux<->qemu connectivity, create a new conf file and swap the
    # addresses (so that peer address is ending to 2).
    CONFIG_NET_CONFIG_SETTINGS=y
    CONFIG_NET_CONFIG_NEED_IPV6=y
    
    
    ### Match overlay-ot.conf from echo client's thread-with-tls branch ###########################
    
    CONFIG_NEWLIB_LIBC=y
    CONFIG_CJSON_LIB=y #added because Azure IoT Hub requires #include <cjson.h>
    
    CONFIG_NET_IPV6_NBR_CACHE=n
    CONFIG_NET_IPV6_MLD=n
    CONFIG_NET_IPV6=y
    CONFIG_NET_IPV4=n
    CONFIG_NET_CONFIG_NEED_IPV4=n
    CONFIG_NET_CONFIG_MY_IPV4_ADDR=""
    CONFIG_NET_CONFIG_PEER_IPV4_ADDR=""
    
    # Network sockets
    CONFIG_NET_SOCKETS=y
    CONFIG_NET_SOCKETS_POSIX_NAMES=y
    CONFIG_NET_SOCKETS_POLL_MAX=4
    # Enable TCP support
    CONFIG_NET_TCP=y 
    CONFIG_NET_UDP=n 
    
    CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2048
    
    
    CONFIG_NET_L2_OPENTHREAD=y
    CONFIG_OPENTHREAD_THREAD_VERSION_1_2=y 
    #^need to use up-to-date version of OpenThread. Still receive same error
    #if this line is commented, though
    CONFIG_OPENTHREAD_NORDIC_LIBRARY_MTD=y
    #^used instead of "CONFIG_OPENTHREAD_MTD=y" otherwise
    #no TCP messages are sent at all
    
    CONFIG_OPENTHREAD_DEBUG=y
    CONFIG_OPENTHREAD_L2_DEBUG=y
    CONFIG_OPENTHREAD_L2_LOG_LEVEL_INF=y
    
    #set up openthread joiner
    CONFIG_OPENTHREAD_JOINER=y
    CONFIG_OPENTHREAD_CUSTOM_PARAMETERS="OPENTHREAD_CONFIG_JOINER_ENABLE=1"
    CONFIG_OPENTHREAD_JOINER_AUTOSTART=y
    CONFIG_OPENTHREAD_JOINER_PSKD="J01NME"
    CONFIG_OPENTHREAD_MANUAL_START=y
    
    CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2048
    
    ### Match overlay-tls.conf from echo client's thread-with-tls branch ##################
    
    CONFIG_NET_BUF_RX_COUNT=100
    CONFIG_NET_BUF_TX_COUNT=100
    
    CONFIG_MAIN_STACK_SIZE=4096
    
    CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
    CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=10
    #^get error if set to 4 instead of 10
    CONFIG_NET_SOCKETS_ENABLE_DTLS=y
    CONFIG_POSIX_MAX_FDS=8
    
    CONFIG_MBEDTLS=y
    CONFIG_MBEDTLS_BUILTIN=y
    CONFIG_CUSTOM_OPENTHREAD_SECURITY=y
    CONFIG_MBEDTLS_TLS_VERSION_1_2=y
    CONFIG_MBEDTLS_ENABLE_HEAP=y
    CONFIG_MBEDTLS_HEAP_SIZE=64000
    CONFIG_MBEDTLS_ENTROPY_ENABLED=y
    
    # Ciphersuite configuration
    ##
    # Supported key exchange modes
    #
    #CONFIG_MBEDTLS_KEY_EXCHANGE_ALL_ENABLED=y
    # CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
    # CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED=y
    # CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED=y
    # CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED=y
    #CONFIG_MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED=y
    # CONFIG_MBEDTLS_PSK_MAX_LEN=32
    # CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
    # CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED=y
    # CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED=y
    CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y
    CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED=y
    # CONFIG_MBEDTLS_ECDSA_DETERMINISTIC is not set
    # CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED=y
    #CONFIG_MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED=y#
    # Elliptic curve libraries
    #
    CONFIG_MBEDTLS_ECDH_C=y
    CONFIG_MBEDTLS_ECDSA_C=y
    #CONFIG_MBEDTLS_ECJPAKE_C=y
    #CONFIG_MBEDTLS_ECP_C=y#
    # Supported elliptic curves
    #
    #CONFIG_MBEDTLS_ECP_ALL_ENABLED=y
    #CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED=y
    #CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED=y
    CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
    #CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED=y
    #CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED=y
    #CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED=y
    #CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED=y
    #CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED=y
    #CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED=y
    #CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED=y
    #CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED=y
    #CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED=y
    #CONFIG_MBEDTLS_ECP_DP_CURVE448_ENABLED=y
    #CONFIG_MBEDTLS_ECP_NIST_OPTIM=y#
    # Supported hash
    #
    # Removed supported hash lines because they caused build errors 
    #
    # Supported cipher modes
    #
    #CONFIG_MBEDTLS_CIPHER_ALL_ENABLED=y
    CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y
    CONFIG_MBEDTLS_AES_ROM_TABLES=y
    # CONFIG_MBEDTLS_CIPHER_CAMELLIA_ENABLED=y
    # CONFIG_MBEDTLS_CIPHER_DES_ENABLED=y
    # CONFIG_MBEDTLS_CIPHER_ARC4_ENABLED=y
    #CONFIG_MBEDTLS_CIPHER_CHACHA20_ENABLED=n
    # CONFIG_MBEDTLS_CIPHER_BLOWFISH_ENABLED=y
    # CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y
    CONFIG_MBEDTLS_CIPHER_GCM_ENABLED=y
    # CONFIG_MBEDTLS_CIPHER_MODE_XTS_ENABLED=y
    # CONFIG_MBEDTLS_CIPHER_MODE_CBC_ENABLED=y
    # CONFIG_MBEDTLS_CIPHER_MODE_CTR_ENABLED=y
    #CONFIG_MBEDTLS_CHACHAPOLY_AEAD_ENABLED=y#
    # Supported message authentication methods
    #
    # CONFIG_MBEDTLS_MAC_ALL_ENABLED=y
    # CONFIG_MBEDTLS_MAC_MD4_ENABLED=y
    # CONFIG_MBEDTLS_MAC_MD5_ENABLED=y
    # CONFIG_MBEDTLS_MAC_SHA1_ENABLED=y
    # CONFIG_MBEDTLS_MAC_SHA256_ENABLED=y
    # CONFIG_MBEDTLS_SHA256_SMALLER=y
    # CONFIG_MBEDTLS_MAC_SHA384_ENABLED=y
    # CONFIG_MBEDTLS_MAC_SHA512_ENABLED=y
    # CONFIG_MBEDTLS_MAC_POLY1305_ENABLED=y
    CONFIG_MBEDTLS_MAC_CMAC_ENABLED=y
    # end of Ciphersuite configuration#
    
    
    ### Additional configurations specific to my project ###################
    
    # Log
    CONFIG_SERIAL=y
    CONFIG_CONSOLE=y
    CONFIG_UART_CONSOLE=y
    CONFIG_LOG_BACKEND_UART=y
    CONFIG_LOG_PROCESS_THREAD=y
    
    CONFIG_LOG_STRDUP_MAX_STRING=128
    CONFIG_LOG_STRDUP_BUF_COUNT=50
    CONFIG_LOG_PROCESS_THREAD_STACK_SIZE=8096
    
    CONFIG_BOOTLOADER_MCUBOOT=y
    
    # Azure IoT Hub library
    CONFIG_AZURE_IOT_HUB=y
    CONFIG_AZURE_IOT_HUB_DEVICE_ID="my_device_id"
    CONFIG_AZURE_IOT_HUB_HOSTNAME="my_iothub.azure-devices.net"
    CONFIG_AZURE_IOT_HUB_SEC_TAG=42
    CONFIG_AZURE_IOT_HUB_LOG_LEVEL_DBG=y
    CONFIG_AZURE_IOT_HUB_LOG_LEVEL_WRN=y
    CONFIG_AZURE_IOT_HUB_PROVISION_CERTIFICATES=y
    CONFIG_AZURE_IOT_HUB_STATIC_IPV4=y
    CONFIG_AZURE_IOT_HUB_STATIC_IPV4_ADDR="64:ff9b::myio:thub"
    CONFIG_AZURE_IOT_HUB_CERTIFICATES_FILE="certificates_tlstest.h"
    
    CONFIG_OPENTHREAD_MBEDTLS_CHOICE=y
    #^receive "'mbedtls_pk_write_key_der' was not declared in this scope" and
    #"'mbedtls_ecdsa_sign_det_ext' was not declared in this scope" build errors 
    #if this line is commented out
    
    #Enable config of IoT Hub credentials
    CONFIG_TLS_CREDENTIALS=y
    CONFIG_TLS_MAX_CREDENTIALS_NUMBER=4
    
    CONFIG_NET_TCP_LOG_LEVEL_DBG=y
    CONFIG_LOG_STRDUP_BUF_COUNT=20
    
    #Enable MQTT library for communication with IoT Hub
    CONFIG_MQTT_LIB=y
    CONFIG_MQTT_LIB_TLS=y
    
    #Set MQTT keep alive with IoT Hub
    CONFIG_MQTT_KEEPALIVE=250 
    
    

  • I made some further configuration changes and it is working now! I am even sending dummy temperature values to IoT Hub in JSON format, which are then forwarded to blob storage.

    To summarize, I needed to select the right combination of OpenThread, security, MBEDTLS, cipher, and key configurations in my prj.conf file. I have copied the relevant sections of my prj.conf file below. Pretty much everything that is commented out is something that I tried without success. I'm certain that there are some unnecessary configurations in there, but I have not yet attempted to whittle those down to the essentials. Interestingly, it was not necessary for me to set the MBEDTLS platform time to get this to work. 

    Thank you for the help!

    #Openthread
    # Select OpenThread nRF Security backends
    CONFIG_CUSTOM_OPENTHREAD_SECURITY=y
    #CONFIG_OPENTHREAD_NRF_SECURITY_CHOICE=n
    #CONFIG_MBEDTLS_LEGACY_CRYPTO_C=y
    
    ##### OPENTHREAD #####
    CONFIG_OPENTHREAD_NORDIC_LIBRARY_FTD=y
    #CONFIG_OPENTHREAD_FTD=n
    #CONFIG_OPENTHREAD_MTD=y
    #CONFIG_OPENTHREAD_MTD_SED=n
    CONFIG_OPENTHREAD_THREAD_STACK_SIZE=10240
    CONFIG_OPENTHREAD_DEBUG=y
    CONFIG_OPENTHREAD_L2_DEBUG=y
    CONFIG_OPENTHREAD_MANUAL_START=y
    
    # Enable Thread 1.2 features
    CONFIG_OPENTHREAD_DUA=y
    CONFIG_OPENTHREAD_MLR=y
    #CONFIG_OPENTHREAD_BACKBONE_ROUTER=y
    CONFIG_OPENTHREAD_LINK_METRICS_INITIATOR=y
    CONFIG_OPENTHREAD_LINK_METRICS_SUBJECT=y
    CONFIG_OPENTHREAD_CSL_RECEIVER=y
    
    # Network
    CONFIG_NETWORKING=y
    CONFIG_NET_L2_OPENTHREAD=y
    CONFIG_NET_IPV6_NBR_CACHE=n
    CONFIG_NET_IPV6_MLD=n
    CONFIG_NET_IPV6=y
    CONFIG_NET_IPV4=n
    CONFIG_NET_CONFIG_SETTINGS=y
    CONFIG_NET_CONFIG_NEED_IPV4=n
    CONFIG_NET_CONFIG_NEED_IPV6=y
    # Network sockets
    CONFIG_NET_SOCKETS=y
    CONFIG_NET_SOCKETS_POSIX_NAMES=y
    CONFIG_NET_SOCKETS_POLL_MAX=4
    # Enable TCP support
    CONFIG_NET_TCP=y # Required for SOCKET STREAM
    CONFIG_NET_UDP=y # Required for getting UTC time 
    CONFIG_OPENTHREAD_TCP_ENABLE=n
    #^from https://github.com/openthread/openthread/discussions/7784
    
    CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=10
    #^from https://devzone.nordicsemi.com/f/nordic-q-a/86632/openthread-and-mqtt-over-tls-is-single-program
    
    #Socket settings
    CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
    CONFIG_NET_SOCKETS_ENABLE_DTLS=n
    CONFIG_POSIX_MAX_FDS=8
    
    #MBEDTLS and security configuration 
    #CONFIG_NORDIC_SECURITY_BACKEND=y
    #CONFIG_NRF_SECURITY=y
    CONFIG_MBEDTLS_CFG_FILE="config-tls-generic.h"
    CONFIG_NET_TCP_ISN_RFC6528=n
    
    # Enable all crypto
    #CONFIG_MBEDTLS_KEY_EXCHANGE_ALL_ENABLED=y
    CONFIG_MBEDTLS_CIPHER_ALL_ENABLED=y
    CONFIG_MBEDTLS_ECP_ALL_ENABLED=y
    CONFIG_MBEDTLS_MAC_ALL_ENABLED=y
    CONFIG_MBEDTLS_GENPRIME_ENABLED=y
    CONFIG_MBEDTLS_HMAC_DRBG_ENABLED=y
    
    #MBEDTLS Configuration cont'd
    CONFIG_OPENTHREAD_MBEDTLS_CHOICE=y
    #^ y allows use of MBEDTLS_BUILTIN
    #^ n does not allow MBEDTLS_BUILTIN and uses NRF_SECURITY
    CONFIG_MBEDTLS_TLS_VERSION_1_2=y
    #CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
    #CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED=y
    #CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED=y
    CONFIG_MBEDTLS_CIPHER_MODE_CBC_ENABLED=y
    #^from https://devzone.nordicsemi.com/f/nordic-q-a/86632/openthread-and-mqtt-over-tls-is-single-program
    
    CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=n
    CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED=y
    CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
    CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED=y
    CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y
    CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y
    CONFIG_MBEDTLS_CIPHER_GCM_ENABLED=y
    CONFIG_MBEDTLS_GCM_C=y
    
    #Following needed to set CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED=y
    CONFIG_MBEDTLS_DHM_C=y
    CONFIG_MBEDTLS_RSA_C=y
    CONFIG_MBEDTLS_X509_CRT_PARSE_C=y
    CONFIG_MBEDTLS_PKCS1_V15=y
    
    #CONFIG_MBEDTLS_BIGNUM_C=y
    #CONFIG_MBEDTLS_OID_C=y
    #CONFIG_MBEDTLS_ASN1_PARSE_C=y
    #CONFIG_MBEDTLS_PK_PARSE_C=y
    #CONFIG_MBEDTLS_SSL_PROTO_DTLS=y
    CONFIG_MBEDTLS_TLS_LIBRARY=y
    CONFIG_MBEDTLS_SHA1_C=y
    CONFIG_MBEDTLS_SHA256_C=y
    CONFIG_MBEDTLS_SHA512_C=y
    CONFIG_MBEDTLS_PSA_CRYPTO_C=y
    CONFIG_MBEDTLS_SSL_PROTO_TLS1_2=y
    
    CONFIG_MBEDTLS_X509_LIBRARY=y
    CONFIG_MBEDTLS_X509_USE_C=y
    
    # TLS configuration
    CONFIG_MBEDTLS=y
    CONFIG_MBEDTLS_BUILTIN=y
    CONFIG_MBEDTLS_ENABLE_HEAP=y
    CONFIG_MBEDTLS_HEAP_SIZE=64000
    # certificate must fit into one message, fragmenting is not supported
    CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=10240
    #CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
    CONFIG_MBEDTLS_PK_WRITE_C=y
    CONFIG_MBEDTLS_CTR_DRBG_C=y
    CONFIG_MBEDTLS_ECDSA_C=y
    CONFIG_MBEDTLS_SHA256_C=y
    #CONFIG_MBEDTLS_RSA_C=y #defined above already
    CONFIG_MBEDTLS_AES_C=y
    CONFIG_MBEDTLS_PKCS1_V21=y
    #Credentials
    CONFIG_TLS_CREDENTIALS=y
    CONFIG_TLS_MAX_CREDENTIALS_NUMBER=4

  • Hi   

    thanks for sharing your pref.conf. Are you able to share your project? I am also trying to run OpenThread + Azure IoT Hub on NRF52840DK but I am stuck in the CONF hell.........

    Just copying your confs did not the job and I am currently commenting out and in different confs without success

Related