I want to use the MQTT protocol to connect to the AWS IOT MQTT broker. (BX FW version 2.6.3)
The broker requires that the connection uses a X.509 Certificates to authenticate. When creating a “thing” on the platform you are supplied with a:
rootCA for AWS.
Certificate (local)
Private Key
Using commands : AT+KCERTSTORE=0, AT+KCERTSTORE=1 and AT+KPRIVKSTORE=0 I uploaded the 3 files to the BX3105. All command executed with OK and querying the certs: AT+KCERTSTORE? returns the information for the 2 Certs.
Querying the private key AT+KPRIVKSTORE? returns: +CME ERROR: 918
As the FW is constantly improved and the AT+KPRIVKSTORE? returns “FEATURE_NOT_SUPPORTED” although the AT Command Reference say it must return the key data.
I just want to confirm that the BX310x FW 2.6.3 can do MQTT with TLS? Has this been tested on a 3rd party Broker with TLS on?
i remember i tried MQTT command with TLS, I can see it can pass through the SSL layer set up by stunnel server.
But i don’t have a MQTT server, so I did not go further.
Not having any experience with stunnel, this will take a significant amount of my time to setup.
Is there any reason to believe that the certificates provided / generated by Amazon is incorrect?
These certificates work using their python example program to connect to the broker.
When uploading them to the BX3105 the module confirms “OK” after each certificate. So I am confident that the uploading process is correct.
Can you confirm that the BX3105 with FW 2.6.3 has been tested to connect to an MQTT broker using the TLS mode?
After you verify the certificate and key are correct by stunnel in client mode, you can connect the BX to this stunnel and capture the wireshark log in raw data mode.
Or you can setup a stunnel server and connect the BX to this server in TLS mode and see if it works.
Thank you very much for the quick replies, I really appreciate your assistance.
But, I’m no security expert. I’m an embedded systems engineer this will take me a significant amount of time to figure out (I have never used Stunnel or WireShark).
If I do manage to do the above mentioned steps, what do I do with the logs? I cannot interpret it ?
Won’t it be much easier for the engineer responsible for the FW on the BX to setup a free acount on AWS IOT and test MQTT with TLS on to check if it works? Or use the certs I supplied above to test if he can connect to the AWS IOT broker.
I’m trying to accomplish the same thing, but I cannot get the RootCA into the BX3105 using the AT+KCERTSTORE=0 command. Anything I should be looking for? Using the same file you’re using.
Thanks,
Eric