nRF9160, SLM Firmware behaves incorrectly after activating Native TLS (critical problems)

Hi, 
We managed to build and flash SLM (SDK 2.1.2) with Native TLS.
To be able to download about 5Kb of data at one time (from AWS broker).


But not everything works fine, we have several critical problems with this build:
1) First, We can't check certificates, the same we did it before.

Previously, I used commands like this (321, is our internal secure tag):
- AT%CMNG=1,321,0 (For check exists the CA certificate);
- AT%CMNG=1,321,1 (For check exists the Client certificate);
- AT%CMNG=1,321,2  (For check exists the Private Key);

But after moving to Native TLC, and generating the new certificates (via commands like the AT#XCMNG=0,321,0...), We see other certificates by AT%CMNG=1 command:
%CMNG: 3210,0,"AD6FB002E6B34C0559FA8F93A3794FF12C4E3F119BD77290C52525123FB9EA74"
%CMNG: 3211,0,"EA89F71E2A945D88A7A71C3C35D2F3BA5466B0ACEC750270134F511FB0CB4143"
%CMNG: 3212,0,"EB569D288E10B1D9D5B1BD45642AD4B8D063E0C48584A6C3A7A700987D671B68"

Can I use them to verify the CA, Client and private key?
- AT%CMNG=1,3210,0 (For CA);
- AT%CMNG=1,3211,0 (For Client);
- AT%CMNG=1,3212,0 (For check exist the Private Key).

2) Second: We lost access to nRF Cloud.

All commands for working with CMNG had to be changed (was AT%CMNG became AT#XCMNG), and it helped for access to AWS broker, but not to nRF Cloud.
Our previous certificates don't work more (with Native TLS).
I tried to reinstall them using the #XCMNG AT command, but that didn't work.
AT commands and answers look fine.
Maybe this is due to the generation and installation of a private key, we use:
AT%KEYGEN=16842753,2,0\r\n


But after using the
AT%KEYGEN=16842753,2,0\r\n, followed by saving the CA/Client certificates, we have the next results (every install certificate command returned OK):
[7/12 17:55:04:025] %CMNG: 16842753,2,"7494C435C484599577AB9B04E85DD594C5B5C9676750CA6DA17284E99A93B9C7"
[7/12 17:55:04:025] %CMNG: 168427530,0,"AD6FB002E6B34C0559FA8F93A3794FF12C4E3F119BD77290C52525123FB9EA74"
[7/12 17:55:04:025] %CMNG: 168427531,0,"D12494EF17B635B10A7511A513CB37B3101D58008ADE0D4BAA381D85A63DA675"

But if we tried to connect to nRF Cloud nothing happened.
We didn't have some ERROR or Event about the nRF Cloud connection.
We received the OK after about 900ms and CSCON: 0 after 6 seconds.
What are we doing wrong with nRF Cloud access now? Is it still because of the  AT%KEYGEN=16842753,2,0  AT command?

3) Third: Something happening with MQTT Disconnect:
After AT#XMQTTCON=0 we received a weird answer (\r\n) and nRF Reset.


AT#XMQTTCON=0
 Ready



Parents
  • Hello, 

    Sorry for the delayed answer here. I am looking into the issue on my side. Will get back to you within tomorrow. 

    Kind regards,
    Øyvind

  • Hello, I've had some issues with my application not allowing to connect to AWS. Trying to find the solution to this first. 

    1) First, We can't check certificates, the same we did it before.

    No, the XCMNG command does not support the list or read functionality. 

    2) Second: We lost access to nRF Cloud.

    What do you get when trying to connect to nRF Cloud? Make sure to disable CONFIG_NRF_CLOUD_CLIENT_ID_SRC_INTERNAL_UUID in prj.conf, i.e. setting 

    CONFIG_NRF_CLOUD_CLIENT_ID_SRC_INTERNAL_UUID=n. 
    3) Third: Something happening with MQTT Disconnect:
    You did not receive #XMQTTEVT: 1,0 ?
    Kind regards,
    Øyvind
  • Hi ,

    No, the XCMNG command does not support the list or read functionality. 

    But then why after generating new certificates (via commands like the AT#XCMNG=0,321,0...) I see new certificate entries with our security tag ?
    %CMNG: 3210,0,"AD6FB002E6B34C0559FA8F93A3794FF12C4E3F119BD77290C52525123FB9EA74"
    %CMNG: 3211,0,"EA89F71E2A945D88A7A71C3C35D2F3BA5466B0ACEC750270134F511FB0CB4143"
    %CMNG: 3212,0,"EB569D288E10B1D9D5B1BD45642AD4B8D063E0C48584A6C3A7A700987D671B68"

    What do you get when trying to connect to nRF Cloud? Make sure to disable CONFIG_NRF_CLOUD_CLIENT_ID_SRC_INTERNAL_UUID in prj.conf, i.e. setting 

    The CONFIG_NRF_CLOUD_CLIENT_ID_SRC_INTERNAL_UUID was activated (in prj.conf file).
    I will recheck without this definition.
    When we execute the command to connect to the nRF cloud, nothing happens, we do not receive anything via UART, and there is no ERROR message or notification of the connection status from the cloud.

    You did not receive #XMQTTEVT: 1,0 ?

    No, we don't get the notification like (#XMQTTEVT: 1,0) via UART, only characters (sometimes it looks like a few characters that don't make sense), and immediately comes "Ready".

  • Stas Jis said:
    But then why after generating new certificates (via commands like the AT#XCMNG=0,321,0...) I see new certificate entries with our security tag ?

    As you can see the security tag is not listed with correct type. The when you use the AT#XCMNG command, it will generate a sec_tag that is your sec_tag * 10 + type. In your case this is 3210, 3211 and 3212, which are all stored as type Root CA certificate. When reading a sec_tag in your native TLS enabled application, the application will handle the mapped sec_tag through the slm_native_tls.x/.h

    The ceritificates that are used by native TLS are not stored in sec_tag 321, but 3210, 3211 and 3212.

    Stas Jis said:
    When we execute the command to connect to the nRF cloud, nothing happens, we do not receive anything via UART, and there is no ERROR message or notification of the connection status from the cloud.

    What terminal are you using when trying this? Are you using LTE Link Monitor or e.g. PuTTy? Are you connected directly to the nRF9160 or using an external MCU?

    Stas Jis said:
    No, we don't get the notification like (#XMQTTEVT: 1,0) via UART, only characters (sometimes it looks like a few characters that don't make sense), and immediately comes "Ready".

    This sounds like an issue with the communication to the nRF9160 e.g. bad buadrate or similar. What do you receive in RTT? 

    -Øyvind

  • Stas Jis said:
    But then why after generating new certificates (via commands like the AT#XCMNG=0,321,0...) I see new certificate entries with our security tag ?

    Sorry my answer was unclear. To clarify, you can use %CMNG to read 3210, 3211 and 3212

     

    AT%CMNG=1,3210,0
    AT%CMNG=1,3211,0
    AT%CMNG=1,3212,0
     
     
  • ,
    Regarding:

    What terminal are you using when trying this? Are you using LTE Link Monitor or e.g. PuTTy? Are you connected directly to the nRF9160 or using an external MCU?

    We test everything with an external MCU (with our device).
    But we have possible to connect to UART directly via the Saleae logic analyzer. So we can see every byte that we transmit or receive.
    I can try to add the "Capture" from the logic analyzer, and you will see all AT command sequences and what is happening.
    But the "Capture" file usually is really large. I can send you it by email if you want.


    This sounds like an issue with the communication to the nRF9160 e.g. bad buadrate or similar. What do you receive in RTT? 

    This problem is repeated every time, for every connection to the AWS broker.
    And it looks really weird, because the connection to AWS broker and publish / download data works correctly, without some problems.

    RTT logs we can have only from the evaluation board.
    I will try to repeat this problem with the evaluation board and later I will give you information about it.



  • To clarify, you can use %CMNG to read 3210, 3211 and 3212

    Yes, that's exactly what I mean.
    Thank you .

Reply Children
No Data
Related