Hi
I am trying the MQTT client with security option, but never got it working. does anyone who got it success?
Thanks
This thread has been locked.
If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.
Thank you for directing me to that post. I dont know if the SSL Demo app will help me since it seems to use different functions to connect to a SSL server VS the MQTT libraries? Either way, the original poster had some hints in the code he posted that pointed to where I can specify SSL cipher and methods in the connection configuration like this:
connect_config usr_connect_config[] =
{{{{
SL_MQTT_NETCONN_SEC,
SERVER_ADDRESS,
PORT_NUMBER,
4,
SL_SO_SEC_METHOD_SSLV3,//checking it out in socket.h
SL_SEC_MASK_SSL_RSA_WITH_RC4_128_SHA,//checking it out in socket.h line 314
security_file_list
},
Is there any further documentation that describes this specific structure and the various parameter inputs that are accepted?
I looked through the SDK documentation and found no references to SSL methods and ciphers.
I havent yet tried this yet, but I should have some time this weekend and will post back here to help other people who might have the same questions in the future.
Thanks in advance,
I am similar issues as TieXue. I am testing with the Mosquitto MQTT broker.
My CA /server keys and certs were generated using generate-CA.sh https://github.com/owntracks/tools/blob/master/TLS/generate-CA.sh , and I generated the client key and cert manually using openssl in .der format. The client key and cert, converted to PEM format, worked with mosquitto_pub/sub with the secured broker without issue. Using UniFlash, I transfer the client key and cert and the ca cert to the application flash in /cert/<file name>.
In main.c, I updated the usr_connect_config to the following
char *security_file_list[] = {"/cert/clientkey.der", "/cert/clientcrt.der", "/cert/cacrt.der"};
connect_config usr_connect_config[] = { { { { SL_MQTT_NETCONN_SEC, //SL_MQTT_NETCONN_URL SERVER_ADDRESS, PORT_NUMBER, SL_SO_SEC_METHOD_SSLv3_TLSV1_2, SL_SEC_MASK_SECURE_DEFAULT, 3, security_file_list }, SERVER_MODE, true, }, NULL, "user1", NULL, NULL, true, KEEP_ALIVE_TIMER, {Mqtt_Recv, sl_MqttEvt, sl_MqttDisconnect}, TOPIC_COUNT, {TOPIC1, TOPIC2, TOPIC3}, {QOS2, QOS2, QOS2}, {WILL_TOPIC,WILL_MSG,WILL_QOS,WILL_RETAIN}, false } };
The result is that the Status returned by sl_Connect() is SL_ECONNREFUSED (-111) in comm_open() function in cc31xx_sl_net.c.
With this same project in its original state, except for the server address, and the Mosquitto broker in default unsecured configuration, the connection was successful and basic function all worked.
Also, I did test the ssl project per the instructions with no issues.
Best,
Scott
Scott,
I have also generated my SSH keys with that same .sh file. I followed this blog post to help me set it up: rockingdlabs.dunmire.org/.../ssl-client-certs-to-secure-mqtt
I configured the same way as your code and also cannot connect. I have also tried other various methods and ciphers like
SL_SO_SEC_METHOD_TLSV1_2
SL_SEC_MASK_SSL_RSA_WITH_RC4_128_SHA
No combinations seem to work....everything works as expected when connecting to the non-SSL port.
I get a different error though, and I cannot make any sense of it:
Device has connected to TheInternet Device IP Address is 192.168.2.12 Version: Client LIB 1.0.3, Common LIB 1.1.1. C: FH-B1 0x10 to net 17, Sent (64 Bytes) [@ 7] C: Net 17, Raw Error -1, Time Out: N C: RX closing Net 17 [-1] C: Cleaning session for net 17 C: Net 17 now closed Broker connect fail for conn no. 1
I have verified that other devices can connect to this SSL port via websockets
Hi Scott,
My require_certificate flag is also set to false.
What is the error message that you see over the CC3200 UART? Is it similar to the one I see?
I do not see the -111 connection error that you spoke about, but a "timeout" error. I do not think it is a timeout since the message comes immediately after I attempt to connect with the MQTT broker.
To give a little more detail on how I know the SSL MQTT broker is configured correctly:
I have a Macbook Pro running the software MQTT.fx. MQTT.fx will connect to the SSL port as long as I provide the client key, client certificate, and CA certificate. I also had to use openssl to convert the SSL certificates to a different format (I think .DER?) in order for MQTT.fx to accept the certificates.
Once the certs were in the correct format, and I had selected SSLv3, I was able to connect successfully.
I tried to use the .DER(?) converted files within the CC3200 but I still get the same error message.
I can also connect over websockets on an https website via a different port (over SSL).
Hi Justin,
Here is the output on my serial terminal:
Host Driver Version: 1.0.0.10
Build Version 2.4.7.2.31.0.0.3.0.1.1.8.8
Device is configured in default state
Started SimpleLink Device: STA Mode
[WLAN EVENT] STA Connected to the AP: OFFICE , BSSID: d8:67:d9:c4:32:df
[NETAPP EVENT] IP acquired by the device
Device has connected to OFFICE
Device IP Address is 192.168.2.246
Version: Client LIB 1.0.3, Common LIB 1.1.1.
Broker connect fail for conn no. 1
Exiting the Application
The -111 error code is from the sl_Connect function (Line:290) when it is called in the comm_open function (Line:218) in cc31xx_sl_net.c. Otherwise the real connection status is not return to any higher point in the code.
Also, I repeated the certificate and key generation based on the rockingdlabs link you provided, and converted the client cert/key and ca cert into .der format. It still failed to connect.
I am running the Mosquitto broker v1.42 (from a PPA) on a Ubuntu 14.04LTS. The keys and certs, in the default PEM format, work perfectly with the mosquitto_sub and pub clients with this setup.
So, I am still scratching my head. I've submitted the issue to TI support. Hopefully, a FAE will get back to me soon.
Best,
Scott
Hey Scott,
Really appreciate the replies. It looks as though we have an almost identical broker setup: Amazon EC2 + Ubuntu 14.04 + Mosquitto 1.42 broker --> CC3200 client. It also looks like we are getting different printouts. Like you, I get the broker failed to connect message, but my printout is a little bit more detailed:
Version: Client LIB 1.0.3, Common LIB 1.1.1.
C: FH-B1 0x10 to net 17, Sent (64 Bytes) [@ 7]
C: Net 17, Raw Error -1, Time Out: N
C: RX closing Net 17 [-1]
C: Cleaning session for net 17
C: Net 17 now closed
Broker connect fail for conn no. 1
Any idea what Net 17 is?
Also - when you say "The keys and certs, in the default PEM format, work perfectly with the mosquitto_sub and pub clients with this setup." Does that mean you were actually able to get SSL working with the SSH key generator script with the CC3200?? Do you mean the keys stored in the CC3200 by default? I have not been able to get SSL working at all with the CC3200.
Its possible the only reason I had to convert it to .DER format was because the MQTT OSX application I was using was written in java and that just happened to be the format it expected.
Hi Justin/Scott,
I think we should debug this step by step
#if 0 // //configure the socket with GOOGLE CA certificate - for server verification // lRetVal = sl_SetSockOpt(iSockID, SL_SOL_SOCKET, \ SL_SO_SECURE_FILES_CA_FILE_NAME, \ SL_SSL_CA_CERT_FILE_NAME, \ strlen(SL_SSL_CA_CERT_FILE_NAME)); if(lRetVal < 0) { UART_PRINT("Device couldn't set socket options \n\r"); GPIO_IF_LedOn(MCU_RED_LED_GPIO); return lRetVal; } #endif /* connect to the peer device - Google server */ lRetVal = sl_Connect(iSockID, ( SlSockAddr_t *)&Addr, iAddrSize); if((lRetVal < 0) && (SL_ESECSNOVERIFY !=Status)) { UART_PRINT("Device couldn't connect to Google server \n\r"); GPIO_IF_LedOn(MCU_RED_LED_GPIO); return lRetVal; }
On success the sl_Connect() will return with -453 error code (SL_ESECSNOVERIFY)
Regards,
Ankur
Hi Ankur,
I was unable to get any printouts when debugging the SSL example last night. The unmodified example seems to not print anything over UART?
Aside from that, it seemed like the point of this exercise was to figure out which methods and ciphers are supported by my server/certificates, so I installed nmap on my OSX system and ran the following command:
https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html nmap --script ssl-enum-ciphers -p 443 <host>
The output of this command when running it on my server and port 8883 (my SSL port) listed TLS 1.0, 1.1, and 1.2, as well as every cipher that is currently supported by the CC3200.
For completeness of this post, here is the output from the NMAP printout for TLS 1.2:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 256) - C
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (dh 256) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Ciphersuite uses MD5 for message integrity
| Weak cipher RC4 in TLSv1.1 or newer not needed for BEAST mitigation
|_ least strength: C
Scott thanks for helping fix the SSL example. Now that I can see the UART printouts, here is what happened for me:
Step 1: I had to change method and cipher as follows in function ssl():
unsigned char ucMethod = SL_SO_SEC_METHOD_TLSV1_2;//SL_SO_SEC_METHOD_SSLV3;
unsigned int uiIP,uiCipher = SL_SEC_MASK_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA;//SL_SEC_MASK_SSL_RSA_WITH_RC4_128_SHA;=
After changing the method and cipher, I got the expected outcome for step 1.
Step 2: It looks like I get an error -456. This, as I understand it, means a bad CA file.
I am having a bit of trouble figuring out why my CA file is bad as it seems to work for other clients. I
I also tried converting my CA cert to a DER format as explained on this page http://processors.wiki.ti.com/index.php/CC32xx_Serial_Wifi:
openssl x509 -in <input.crt> -inform PEM –out <output.crt> -outform DER
I dont know if it will help. but I have uploaded my ca.crt and ca2.DER file. They are located on my CC3200 at /cert/ca.crt and cert/ca2.der
The location I state in my CC3200 firmware is this format:
#define SL_SSL_CA_CERT_FILE_NAME "/cert/ca2.der"
Hi Justin,
In my setup, I'm loading three files on to the cc3200, /cert/cacrt.der, /cert/clientcrt.der, and /cert/clientkey.der . I used the generate-CA.sh to generate the ca, server, and client certs and keys. These are in the PEM format by default. As you did above, I used openssl to change the format to DER. I then tested the DER formatted certs and key with MQTT.fx since it can use either format. Once verified, I loaded onto cc3200 using Uniflash.
Here is the config section in my main.c:
#define SERVER_ADDRESS "192.168.2.137" #define PORT_NUMBER 8883 char *security_file_list[] = {"/cert/clientkey.der", "/cert/clientcrt.der", "/cert/cacrt.der"}; /* connection configuration */ connect_config usr_connect_config[] = { { { { SL_MQTT_NETCONN_SEC, SERVER_ADDRESS, PORT_NUMBER, SL_SO_SEC_METHOD_TLSV1_2, SL_SEC_MASK_TLS_RSA_WITH_AES_256_CBC_SHA256, 3, security_file_list }, SERVER_MODE, true, }, NULL, "user1", NULL, NULL, true, KEEP_ALIVE_TIMER, {Mqtt_Recv, sl_MqttEvt, sl_MqttDisconnect}, TOPIC_COUNT, {TOPIC1, TOPIC2, TOPIC3}, {QOS2, QOS2, QOS2}, {WILL_TOPIC,WILL_MSG,WILL_QOS,WILL_RETAIN}, false } };
generate-CA.sh => https://github.com/owntracks/tools/blob/master/TLS/generate-CA.sh
Hope this helps.
Best,
Scott
Hi Scott,
Did you successfully connect to MQTT with TLS?
Thank you.
Best Regards,
Bryan
Hi Scott,
Thanks a lot.
Do I need to configure cipher?
I tried use both CA only and with client key
but still not worked.
Do you think it is correct to generate the key shown on above link?
I can use the key to connect on Mqtt. fx.
Thank you.
Best Regards,
Bryan
Hi Scott,
I tried your setting but it still not work.
I think maybe something wrong on my cert.
For CA-only:
I follow this guide: http://lukse.lt/uzrasai/2015-02-internet-of-things-messaging-mqtt-1-installing-mosquitto-server/
Also, I have tried to follow TI's guide and generate CA file:
openssl genrsa -out privkey.pem 2048
openssl rsa -in privkey.pem -inform PEM -out privkey.der -outform DER
openssl req -new -x509 -days 3650 -key privkey.pem -out root-ca.pem
openssl req -new -key privkey.pem -out cert.pem
openssl x509 -req -days 20000 -in cert.pem -CA root-ca.pem -CAkey privkey.pem -set_serial 01 -out cert.pem
openssl x509 -in root-ca.pem -inform PEM -out ca.der -outform DER
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
And for TSL with client key:
rockingdlabs.dunmire.org/.../ssl-client-certs-to-secure-mqtt
Do you think I can follow them to set up the TSL using CC3200?
To convert the key file, I use openssl:
#change cert format (from .crt to .der)
openssl x509 -in certificate.crt -out certificate.der -outform der
For .key file:
I change .key to .pem then use above command.
All above settings, I can use the cert file on MQTT.fx but not on CC3200.
In uniflash:
Is there anything wrong?
Thank you very much.
I am glad that you said you successfully use a encrypted MQTT with CC3200
as I tried it about 2 weeks and tried to think whether it is possible to use CC3200 with encrypted MQTT.
Thanks a lot.
Best Regards,
Bryan
Hi Scott,
Sorry for annoying a lot of times.
I am still making an effort to get an encrypted MQTT.
I dun know what is wrong that I cannot get it done.
Maybe I explain my step to set up it, can you help me?
First, I am using Ubuntu to set up the mosquito server.
After set it up, I start to generate SSL/TSL part.
To generate ca cert and server cert,
I use bash ./generate-CA.sh (AND it is changed to -sha256)
and to generate client cert,
I use following command:
openssl genrsa -out client.key 2048
openssl req -new -sha256 -out client.csr -key client.key -subj "/CN=client/O=example.com"
openssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAserial ./ca.srl -out client.crt -days 3650 -addtrust clientAuth
And then, copy them to mosquito folders and change the mosquito.conf
As you said, I use the file extracted from mosquitto.conf.gz
and change the port to 8883, change the ca path and require_certificate to true.
And after that, I use sudo service mosquitto restart to restart mosquitto.
Then I change those cert file to .der file.
For .crt file, I use openssl x509 -in certificate.crt -out certificate.der -outform der
For .key file I use openssl rsa -in client.key -outform DER -out clientkey.der
Then the server is set.
I tried to use those file with mqtt.fx and it works fine.
So I flash them to CC3200 and modify the sample mqtt project.
But dun know why it cannot connect to broker.
I also tried do not use client file.
I am using the same router with CC3200
and I think the IPLIST is okay as I can use same IP with MQTT.fx.
Thank you very much.
Best Regards.
Bryan
Hi Bryan,
I would suggest using the generate-CA.sh script to generate the client certificates and keys also. The script's author configures the client certificates with a X509 extension that in specifies that it is a client certificate and other details.
My normal workflowis to:
This has worked very well for me during my development and testing. Originally, I did generate the client certificates and keys by hand, but it was a very error prone process. Also, make sure that you point to the correct files in the app flash in the MQTT configuration. That little mistake cost me days.
Best,
Scott
Hello everyone,
Even if almost 2 year have passed, I'm posting on this thread because I have the same problems of you connecting to MQTT broker via TLS.
For Justin: your printout is more detailed because you have enabled extra debug in MqttClientLibCfg:
SlMqttClientLibCfg_t Mqtt_Client=
{
0,
TASK_PRIORITY,
30,
true,
(long(*)(const char *, ...))UART_PRINT //NULL
};
The Net 17 you see in those debugs I think is a number the library assign to each open socket,
when I run the mqtt server i see Net 17-23 assigned to the various connected client.
My question is the same as first, does anyone succeeded to open a TLS connection to a remote broker? If yes, what is the correct configuration for usr_connect_config[]?
Thanks,
Rosario
Hello,
To help with this, I tested the latest CC3200SDK_1.3.0 MQTT example, connected to the paho sandbox secure broker - iot.eclipse.org:8883.
Here are the steps I followed :-
1. Starting with the SDK mqtt_client example, verified non-secure communication to iot.eclipse.org is working correctly (as per default application configuration).
2. Modified the connect_config structure to set new parameters for secure connectionsecurity parameter.
#define SL_SSL_CA_CERT "/cert/dst.der" char *secureFiles[4] = { NULL, NULL, SL_SSL_CA_CERT, NULL }; /* connection configuration */ connect_config usr_connect_config[] = { { { { SL_MQTT_NETCONN_URL | SL_MQTT_NETCONN_SEC, "iot.eclipse.org", 8883, SL_SO_SEC_METHOD_SSLv3_TLSV1_2, SL_SEC_MASK_SECURE_DEFAULT, 4, secureFiles
3. Set the system time before making the MQTT connection
{ _i32 retVal; SlDateTime_t g_time; g_time.sl_tm_day = 9; g_time.sl_tm_mon = 6; g_time.sl_tm_year = 2017; g_time.sl_tm_sec = 12; g_time.sl_tm_hour = 21; g_time.sl_tm_min = 0; retVal = sl_DevSet(SL_DEVICE_GENERAL_CONFIGURATION, SL_DEVICE_GENERAL_CONFIGURATION_DATE_TIME, sizeof(SlDateTime_t),(unsigned char *)(&g_time)); if (retVal != 0) { UART_PRINT("Error Setting Time\n\r"); } else { UART_PRINT("Time set to : %02d/%02d/%04d %02d:%02d:%02d\n\r", g_time.sl_tm_day, g_time.sl_tm_mon, g_time.sl_tm_year, g_time.sl_tm_sec, g_time.sl_tm_hour, g_time.sl_tm_min); } } // // Initialze MQTT client lib // lRetVal = sl_ExtLib_MqttClientInit(&Mqtt_Client);
4. Programmed the DST Root CA X3 certificate (in .der format)) into /cert/dst.cer using uniflash
5. Built, loaded, ran ;)
************************************************* CC3200 MQTT_Client Application ************************************************* Host Driver Version: 1.0.1.11 Build Version 2.9.0.0.31.1.4.0.1.1.0.3.37 Device is configured in default state Started SimpleLink Device: STA Mode [WLAN EVENT] STA Connected to the AP: CC-2.4GHz , BSSID: 3c:47:11:af:19:cf [NETAPP EVENT] IP acquired by the device Device has connected to CC-2.4GHz Device IP Address is 192.168.1.6 Time set to : 09/06/2017 12:21:00 Version: Client LIB 1.4.0, Common LIB 1.5.0. C: Alloc for 1 200246e4 C: FH-B1 0x10 to net 80, Sent (45 Bytes) [@ 6] C: Alloc for 0 200246e4 C: Rcvd msg Fix-Hdr (Byte1) 0x20 from net 80 [@ 6] C: Cleaning session for net 80 C: Msg w/ ID 0x0000, processing status: Good C: Alloc for 0 200246e4 Success: conn to Broker no. 1 C: Alloc for 8 200246c0 C: FH-B1 0x82 to net 80, Sent (79 Bytes) [@ 6] C: Rcvd msg Fix-Hdr (Byte1) 0x90 from net 80 [@ 6] C: Msg w/ ID 0x0001, processing status: Good C: Alloc for 0 200246e4 Client subscribed on following topics: /cc3200/ToggleLEDCmdL1 /cc3200/ToggleLEDCmdL2 /cc3200/ToggleLEDCmdL3 CC3200 Publishes the following message Topic: /cc3200/ButtonPressEvtSw2 Data: Push button sw2 is pressed on CC32XX device
Hope that helps,
~roger