• State Suggested Answer
  • Replies 17 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 640 views
  • Users 0 members are here
Attachments (4) Download All
Nordic Case Info
  • Case ID: 288517
Options

MQTT with TLS on AWS EC2

user32317

Hi,

We have our own MQTT broker setup with TLS running on a AWS EC2 cloud service.  I am building my code based on the MQTT_SIMPLE example.  I have only a CA certificate in the certificates.h file.  There is no client private key and no client public certificate.  SEC_TAG is set to 2840.  Port is set to 8883.  Below is the terminal output.  IP address was resolved correctly.  Unfornately, I wasn't able to connect to our MQTT broker.  I kept getting error code 95.

[00:00:00.266,235] <inf> MQTT_SIMPLE: MQTT started
[00:00:00.271,270] <inf> MQTT_SIMPLE: Provisioning certificates
[00:00:00.428,375] <inf> MQTT_SIMPLE: Disabling PSM and eDRX
[00:00:00.439,147] <inf> MQTT_SIMPLE: LTE Link Connecting
[00:00:15.602,569] <inf> MQTT_SIMPLE: LTE Link Connected
[00:00:17.040,008] <inf> MQTT_SIMPLE: IPv4 Address found xxx.xxx.215.238
[00:00:17.047,363] <inf> MQTT_SIMPLE: TLS enabled
[00:00:17.707,611] <err> MQTT_SIMPLE: mqtt_connect -95
[00:00:17.713,256] <inf> MQTT_SIMPLE: Reconnecting in 30 seconds
[00:00:48.585,479] <err> MQTT_SIMPLE: mqtt_connect -95
[00:00:48.591,125] <inf> MQTT_SIMPLE: Reconnecting in 30 seconds
[00:01:19.484,619] <err> MQTT_SIMPLE: mqtt_connect -95
[00:01:19.490,264] <inf> MQTT_SIMPLE: Reconnecting in 30 seconds

The same code was able to connect with test.mosquitto.org with its mosquitto.org.crt (PEM format) and port 8883.  Am I missing anything?  What have I done wrong?

By the way, I am using SDK 1.8.0.

  • 0 in reply to user81181

    Here is the tls_cfg in the main.c.

    #if defined(CONFIG_MQTT_LIB_TLS)
         struct mqtt_sec_config *tls_cfg = &(client->transport).tls.config;
         static sec_tag_t sec_tag_list[] = { CONFIG_MQTT_TLS_SEC_TAG };

         client->transport.type = MQTT_TRANSPORT_SECURE;

         tls_cfg->peer_verify = CONFIG_MQTT_TLS_PEER_VERIFY;
         tls_cfg->cipher_count = 0;
         tls_cfg->cipher_list = NULL;
         tls_cfg->sec_tag_count = ARRAY_SIZE(sec_tag_list);
         tls_cfg->sec_tag_list = sec_tag_list;
         tls_cfg->hostname = CONFIG_MQTT_BROKER_HOSTNAME;

    #if defined(CONFIG_NRF_MODEM_LIB)
         tls_cfg->session_cache = IS_ENABLED(CONFIG_MQTT_TLS_SESSION_CACHING) ?
         TLS_SESSION_CACHE_ENABLED :
         TLS_SESSION_CACHE_DISABLED;
    #else
    /* TLS session caching is not supported by the Zephyr network stack */
         tls_cfg->session_cache = TLS_SESSION_CACHE_DISABLED;

    #endif

    #else
         client->transport.type = MQTT_TRANSPORT_NON_SECURE;
    #endif

    And in prj.conf, I have

    CONFIG_MQTT_BROKER_HOSTNAME="ec2-xxx-xxx-xxx-xxx.ca-central-1.compute.amazonaws.com"
    CONFIG_MQTT_BROKER_PORT=8883

    Regards,

    Floyd

  • 0 in reply to user32317

    That should be enough to enable SNI, though I can't see that it is enabled in the .pcap you shared.

    Could you share the full URL of your server (either here or in a private message), so I can see what TLS features the server requires/supports?

  • 0 in reply to user81181

    Hello Didrik, 

    We've gotten past the error 95 by upgrading our Mosquitto broker from 1.4.x to 1.6.10 which couldnt be done until we moved the broker to a newer version of AWS (Amazon Linux 2). The new broker has the required cipher suites for a tls connection. 

    But now the error I'm getting is


    on the client side.

    And on the broker side I see: 

    New connection from <ip address> on port 8883.

    Client <unknown> disconnected due to protocol error.

    I'm able to connect to the broker using the mosquitto_sub command. 

  • 0 in reply to user116025
    leo_nam said:
    We've gotten past the error 95 by upgrading our Mosquitto broker from 1.4.x to 1.6.10

    That's great to hear!

    leo_nam said:
    But now the error I'm getting is

    Do you have a modem trace showing this error?

  • 0 in reply to user81181

    I have a modem trace from the server side (Amazon Linux 2), I didn't save any of the ones I made client side (Nordic).

     

    I was wondering if I'd get something different if I did a trace from the server side but I didn't notice any difference. Let me know if you still need one from the client side and I will get it to you. 

    Edit: I upgraded my broker to 2.0.11 but to do that I changed to a ubuntu server. However, same output from the server: "Client <unknown> disconnected due to protocol error." 

    Here is the pcap from the nordic client.

     

Related
Terms of service