TLS/SSL connections with HL7800 Module

Hi everyone,

Apologies but I had to purge a few images/links because I am a new user. I can add them in subsequent posts.

For a little context, I am trying to write a firmware application for an STM32 board that uses the HL7800 module to publish JSON data via MQTT. I am using Eclipse Paho’s lowest level packet serialization library to create packets and send them over TCP (MQTTPacket) via the AT commands available to me. I have tested this functionality with a public test broker on Port 1883 - building a simple QOS 0 CONNECT, PUBLISH and DISCONNECT, and then sending the packets with a JSON data payload through a TCP connection opened on the HL module.

I have the STM board forwarding debug output to a console on my machine, and a Mosquitto client listening on my topic to see if data is received and then published to subscribers correctly, which it did.

However, now I need to send this data to an Azure IoT hub interface instance. Azure specifies that you MUST use TLS/SSL when connecting and sending data via MQTT. I cannot use the Azure C SDK because of some specific constraints on my embedded system, so I am following their steps to connect directly as a device (https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-mqtt-support#using-the-mqtt-protocol-directly-as-a-device). This specifies building a MQTT CONNECT packet with specific parameters, including a PASSWORD field that is an SAS token which I have generated on the Azure side and is currently hard-coded in my firmware.

However, when attempting to repeat the same process as I did on the public broker (this time on Port 8883), I do not seem to be successfully receiving data, and actually do not receive any indication on Azure side that a CONNECT packet is being sent at all. I assumed that simply filling the CONNECT packet parameters as specified would work. Here is debug output for the connection process:

I do receive an acknowledgement that KTCPSND was successful and it was expecting more characters (+KTCP_NOTIF: 1,8) (just checked the command spec and I think I need to change my data length to not include the EOF pattern, but I think this issue is secondary since the KTCPSND command works fine when sending on to the public broker and it still throws me the same notification).

So my question is this: How does the HL7800 module handle TLS when opening TCP connections? As you can see from my KTCPCFG commands I have tried explicitly specifying a Cipher Suite to use with a TCP connection, which doesn’t seem to change anything. I am suspicious about Azure’s TSL/SSL specification. Is it possible that I need to store their Root CA on my HL7800 using KCERTSTORE and then somehow tell it to reference the cert when opening a TCP connection? Or should it just be automatically be handling the TLS handshake when opening the TCP connection if I specify a cipher suite? I have to admit to being a little bit ignorant about how this is handled, especially on devices like the HL7800.

What is especially weird to me is that the unsolicited notifications from the HL7800 module indicated that a TCP connection is successfully opened (+KCNX_IND: 1,1,0 and +KTCP_IND: 1,1), data is successfully being sent (+KTCP_NOTIF: 1,8) but I am not receiving an indication of any sort of CONNECT packet on the Azure IoT hub side (say, in the Operation Monitoring area).

Suggestions and input welcomed. I have posted a similar discussion to Azure’s IoT Hub Forum: https://social.msdn.microsoft.com/Forums/azure/en-US/e4de07b4-b9a1-405b-ae86-b44f150a427b/tlsssl-connections-to-iot-hub-while-using-mqtt-directly-as-a-device-sierra-wireless-hl7800-stm32?forum=azureiothub

1 Like

Hi,

To avoid the +KTCP_NOTIF: 1,8, the length should be without the EOF pattern. e…g.
at+ktcpsnd=1,10
connect
AAAAAAAAAA–EOF–Pattern–
ok

To store the cert, please try the following commands:
at+kcertstore=0,1376,0 //certs with .crt format
at+kcertstore?
CONNECT
root_cert,0,1376
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvc…
OK

And maybe you can try with HTTP command,e .g.
at+khttpcfg=1,“xxx.com”,443,2//2:HTTPS( with TLS), cert should be stored before.