MQTT with TLS on BX3105

I want to use the MQTT protocol to connect to the AWS IOT MQTT broker. (BX FW version 2.6.3)

The broker requires that the connection uses a X.509 Certificates to authenticate. When creating a “thing” on the platform you are supplied with a:

• rootCA for AWS.
• Certificate (local)
• Private Key
  Using commands : AT+KCERTSTORE=0, AT+KCERTSTORE=1 and AT+KPRIVKSTORE=0 I uploaded the 3 files to the BX3105. All command executed with OK and querying the certs: AT+KCERTSTORE? returns the information for the 2 Certs.
  Querying the private key AT+KPRIVKSTORE? returns: +CME ERROR: 918

I then setup the the MQTT session with TLS active:
AT+KMQTTCFG=1,“a3e1k5xqxzxwj6-ats.iot.eu-west-1.amazonaws.com”,8883,4,“BX_one”,

Connecting to the broker fails after about 3 seconds:
AT+KMQTTCNX=1
OK
+KMQTT_IND: 1,0

Using the MQTT protocol to connect to non-secure brokers works and publishing data is possible.

Is there something wrong with my certs or key?

You can download stunnel and run in client mode to test your cert and key first.

Thank you, will look into using stunnel.

As the FW is constantly improved and the AT+KPRIVKSTORE? returns “FEATURE_NOT_SUPPORTED” although the AT Command Reference say it must return the key data.

I just want to confirm that the BX310x FW 2.6.3 can do MQTT with TLS? Has this been tested on a 3rd party Broker with TLS on?

i remember i tried MQTT command with TLS, I can see it can pass through the SSL layer set up by stunnel server.
But i don’t have a MQTT server, so I did not go further.

I can help with that:

Here is the root cert for Amazon:
-----BEGIN CERTIFICATE-----
MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
rqXRfboQnoZsG4q5WTP468SQvvG5
-----END CERTIFICATE-----

Here is the Local cert for an IoT device:
-----BEGIN CERTIFICATE-----
MIIDWjCCAkKgAwIBAgIVAKyB6i/VchVyaVQS0OGLSnLDRdTOMA0GCSqGSIb3DQEB
CwUAME0xSzBJBgNVBAsMQkFtYXpvbiBXZWIgU2VydmljZXMgTz1BbWF6b24uY29t
IEluYy4gTD1TZWF0dGxlIFNUPVdhc2hpbmd0b24gQz1VUzAeFw0xOTA2MTMwOTUz
MDhaFw00OTEyMzEyMzU5NTlaMB4xHDAaBgNVBAMME0FXUyBJb1QgQ2VydGlmaWNh
dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC44hc2LS/8/6lNSw2p
vK3LgrahyIvi8qo4knA0KQWGTspN/9EwiaVMmDQAWixC2QQSFC1rM1sd5F3YtBxO
HDqVB6r+dtfScIhwUHcGnKvPJL/OjbUnKszlIkFG91r2pbnnVdRYws3s0bZQ0bYx
0KSTAAOrRke2LL8jX7wo5FpHUUunMzK3nVlCvZVPvW7SfU+QaYik0lcS8z3ONAQc
OvcWie8rB/UM/SqlFbltZQZPgfpTFqO3+AlCajrrEoZ11T/f45bQWo/AHcJ5NzvD
JFlE/zKDqzHECxh919EhKO8Mqbaeq63v2H3hOd6kj5fLekzC21lVK0YK07T+op3g
LrxXAgMBAAGjYDBeMB8GA1UdIwQYMBaAFDg5H7txrcbNMnsXyynohZ5vHpQaMB0G
A1UdDgQWBBQZZSnPf8QXz3ozlnSLdeucNZpBBjAMBgNVHRMBAf8EAjAAMA4GA1Ud
DwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAseLFf+RlIIQug4IYbUugUPER
/erZHNjNfs8JjFQGH1dDGXCT/h42SJGrZqvjZJXGUvkxsfFRYj81WqzoZZkMpRew
N6EFNy/ym0lhqHOLNUAPCXHzJbJkKUzKrlHzJlAb+7apnIvgppm1DVXTmlGrkPlO
KLFHtSa7Yo57mQ56ECmhPcMVLJ+SxQ3WvYG73gxMQp5qgcd20YpOs26R+Gavv+u9
bkVxqZ0RMoV4cgbr1adYkdNfaQX9+jNINyEjhGNF7r3ZTH8Encc50k9epg8yo4N7
wp0nnlk6t6nzQH5FquPE4b0Ql/Vqvb2C1WhPXiiNLyI0eHOloCoS4n0dVv0O+Q==
-----END CERTIFICATE-----

Here is the private key:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAuOIXNi0v/P+pTUsNqbyty4K2ociL4vKqOJJwNCkFhk7KTf/R
MImlTJg0AFosQtkEEhQtazNbHeRd2LQcThw6lQeq/nbX0nCIcFB3BpyrzyS/zo21
JyrM5SJBRvda9qW551XUWMLN7NG2UNG2MdCkkwADq0ZHtiy/I1+8KORaR1FLpzMy
t51ZQr2VT71u0n1PkGmIpNJXEvM9zjQEHDr3FonvKwf1DP0qpRW5bWUGT4H6Uxaj
t/gJQmo66xKGddU/3+OW0FqPwB3CeTc7wyRZRP8yg6sxxAsYfdfRISjvDKm2nqut
79h94TnepI+Xy3pMwttZVStGCtO0/qKd4C68VwIDAQABAoIBAAGN7RIIiTnAUIUU
13WQ34kxfSWZEQwEbEfzezwFCEXbzbmgJ/sXfStKsE08dNjPCEi6oLMhCGgU7nEO
+pnxhNCR8u8WwrPDPHJtSsLkeFFShsZOzLIamwRmKFRXag1e0VRPlWx1ntOZ48WE
Ldr3XRrbSiybd6jhcW3ztRpG6TdmROUqjDDwP0JAIPK3ug5cZoYXUHWgbv+oXJEH
NnXF0pH/HyWmikd8YxErwyyCx7BekVqm/oohNUGetjz1S4zIVnATrBWIiaBCtjH9
ZewXVoyWDMFIDWZZzONE9ZR0DB99mdL/GxfohGSRv9SlCLQq+Jq/6VF5A2znTU/u
f7pUmUECgYEA81zuegzE2auEjCjZjbioAqhNTGSX3MqRj+GKj0g58xl3sgxwDZ5G
XznAjBYFDbVT8QtNmzpI/7/WNw21PCnWnFbQit/S3v8BX1zyz0MDq7yqemfXOwul
v2VKuLlDWrE4lB5UyVxX+VizAzQWNi9D5CQTCJI5J7KwAC6s/BHKkSECgYEAwnvG
pWR8afzK1Ljtvb/zjblCiswgK0G1q2uaXKzYb2XAZpNbEqEMBqFOgyrLNAC9Q7gP
GZ+3r3SnmDqA1D/3kTkcQ5jlAMLP+rY99cwz5Ns3wT86U3R4SURLp8dQovmJnOF5
smRK8psLjLy7qJoKYGMSnxojah1CvCM2XvtOhncCgYANqz2Vy1vPIgwa1zyI8kM1
iwB0dv30n8gXPcLLk3H1zotji8FLcoVfWd4PwDjecT3avxjHzDlHbB37D6ELVQpB
07p44mN0tPv9wDm/HHN7VOh6YZS8M0ZG/sh4oac/085qu11lxfMHBU1gs68/sd3t
VX1gMN5W9XlfOT/sFI+9IQKBgQCTxwWMSyyWRHXC6boMgryIJgs/+BdBhy6J0Lt8
TAIxszldN/7tyt2edBd6Z5v8Kcuml0cyC0DB23w1mc6meOyetqyZWKY5y83JDY1L
Jh0QetqExoyFOWzlDzYFiNfm3oIIaPPV74tbiSBfklFtrY7Q6rcNmgjq6sz4tDDu
PzrNxQKBgQCmiqQc6XwvHn51FC8OFudf//euPOe9MNfG2kQ58xNkVPubzV+XBg0h
HdjoMWWf58ZZsrAQtkfVaxcMaXpTW8PIdAoqfVSsgHCaRonceROOX5I7UIwQ4iw9
LS938HmFrgYnr8x5NnBBa6HyKAdd+DIV1Nr0NcX/z4/LIHmL5NMgZQ==
-----END RSA PRIVATE KEY-----

And here is the server url:
“a3e1k5xqxzxwj6-ats.iot.eu-west-1.amazonaws.com”

The broker will accept any topic, but ““sdk/test/Python”” is given in the example code from AWS.

OK, you can try with stunnel client mode to verify the certificate and key first.

Not having any experience with stunnel, this will take a significant amount of my time to setup.

Is there any reason to believe that the certificates provided / generated by Amazon is incorrect?
These certificates work using their python example program to connect to the broker.

When uploading them to the BX3105 the module confirms “OK” after each certificate. So I am confident that the uploading process is correct.

Can you confirm that the BX3105 with FW 2.6.3 has been tested to connect to an MQTT broker using the TLS mode?

After you verify the certificate and key are correct by stunnel in client mode, you can connect the BX to this stunnel and capture the wireshark log in raw data mode.

Or you can setup a stunnel server and connect the BX to this server in TLS mode and see if it works.

Thank you very much for the quick replies, I really appreciate your assistance.

But, I’m no security expert. I’m an embedded systems engineer this will take me a significant amount of time to figure out (I have never used Stunnel or WireShark).

If I do manage to do the above mentioned steps, what do I do with the logs? I cannot interpret it ?

Won’t it be much easier for the engineer responsible for the FW on the BX to setup a free acount on AWS IOT and test MQTT with TLS on to check if it works? Or use the certs I supplied above to test if he can connect to the AWS IOT broker.

Setting up a MQTT borker is easy with AWS IOT:

i tried a TCP connection, it is failed…

Connecting to a3e1k5xqxzxwj6-ats.iot.eu-west-1.amazonaws.com …
TCP connection error :10049

Hi

That is url is specifically an MQTT borker on port 8883, will it accept a TCP connection? (I’m not an IP expert)

AT+KMQTTCFG= 1 ,“a3e1k5xqxzxwj6-ats.iot.eu-west-1.amazonaws.com”,8883,4,“BX_one”,
AT+KMQTTCNX=1
OK

SSL connection is on top of TCP.
That means your server cannot be connected.

Please also verify your SSL cert and key first.

We have tested our Certs with other applications connecting to AWS IOT and the SSL Cert and Key is correct.

What is the next step?

you can setup a stunnel server and see what is the SSL connection error after
AT+KMQTTCNX=1

I’m trying to accomplish the same thing, but I cannot get the RootCA into the BX3105 using the AT+KCERTSTORE=0 command. Anything I should be looking for? Using the same file you’re using.
Thanks,
Eric

what do you mean "cannot get the RootCA into the BX3105 "?

When I copy the certificate after the CONNECT response to AT+KCERTSTORE=0, I enter +++, then get an ERROR response.

not sure if your newline character is using “CR+LF”

That’s a good thought, I’ll check it. Anything else you can think of that I’ll run into when connecting to AWS IoT?