Enabling and testing TLS in mqtt_simple

RE: Enabling and testing TLS in mqtt_simple

paul_tanner — Wed, 25 Nov 2020 12:44:18 GMT

I have followed these instructions and got to the point where it says "At this point the sample should compile but won't use TLS". It does compile but does not make a connection. I am building for 9160-DK (ns) on the command line on MacOS. I suspect that the problem may be that I am trying to use the supplied iBasis SIM straight out of the box.

RE: Enabling and testing TLS in mqtt_simple

m9th — Wed, 18 Mar 2020 18:22:28 GMT

I added all of the code snippets above to the files indicated. I reloaded the project from the open nfrconnect sdk project. When I look in main.c all of the conditionals for CONFIG_MQTT_LIB_TLS remain grayed out. prj.conf has CONFIG_MQTT_LIB_TLS=y. What am I missing?

RE: Enabling and testing TLS in mqtt_simple

PeterC — Tue, 03 Mar 2020 23:41:51 GMT

Hi Daniel,

I have followed these instructions carefully but I am getting the build error:

'sec_tag_list' undeclared (first use in this function); did you mean 'sec_tag_t'?

from the changes to client_init (error line in bold below):

#if defined(CONFIG_MQTT_LIB_TLS)
struct mqtt_sec_config *tls_config = &client->transport.tls.config;

client->transport.type = MQTT_TRANSPORT_SECURE;

tls_config->peer_verify = CONFIG_PEER_VERIFY;
tls_config->cipher_count = 0;
tls_config->cipher_list = NULL;
tls_config->sec_tag_count = ARRAY_SIZE(sec_tag_list);
tls_config->sec_tag_list = sec_tag_list;
tls_config->hostname = CONFIG_MQTT_BROKER_HOSTNAME;
#else
/* MQTT transport configuration */
client->transport.type = MQTT_TRANSPORT_NON_SECURE;
#endif /* defined(CONFIG_MQTT_LIB_TLS) */

maybe I have been looking at this too long and its obvious but any help would be appreciated...

RE: Enabling and testing TLS in mqtt_simple

3Rsteven — Sat, 15 Feb 2020 08:47:06 GMT

hi nordic

it have some erro about cred.py, with NRFJPROG DLL: -3 INVALID_PARAMETER

"
C:\temp\ncs\nrf\samples\nrf9160\mqtt_simple\cred>python cred.py --CA_cert ../build/zephyr/CA.crt --client_cert ../build/zephyr/client.crt --client_private_key ../build/zephyr/client.key --sec_tag 51966 --program_app merged.hex
xxxxxxxxxxxxxxx
error: An error was reported by NRFJPROG DLL: -3 INVALID_PARAMETER.
C:\temp\ncs\nrf\samples\nrf9160\mqtt_simple\cred>nrfjprog.exe -v
nrfjprog version: 9.8.1
JLinkARM.dll version: 6.54c
"

RE: Enabling and testing TLS in mqtt_simple

jbrzozoski — Tue, 04 Feb 2020 14:27:42 GMT

Excellent article! I especially like the trick of the cred.py mini-application to read IMEI and write certificates and application images.

Heads-up to anyone depending on full TLS validation: it seems that hostname validation doesn't work properly as of right now. It's a subtle bug that doesn't complain or fail, but doesn't actually enable. (i.e. the hostname will never be checked against the cert name)

The PEER_VERIFY=2 does work on most servers, though, so you can still be sure that the server you're connecting to is using a cert from the designated CA, which mitigates most of the risk.