TLS with mqtt

[mocasrhey]

As anyone been successful using TLS on mqtt?

[Thalhammer]

https://gist.github.com/Thalhammer/b60ccbe7d8777debd2ce43796791ce17

This is what I had as a not yet commited example. Not sure if it worked back than but it might be a good starting point.

[mocasrhey]

thanks! I will try it out, I'm trying to make it work with google cloud iot

[Wiz-IO]

https://cloud.google.com/iot/docs/how-tos/mqtt-bridge#using_a_long-term_mqtt_domain
Download long-term primary and backup for "mqtt.2030.ltsapis.goog"
https://pki.goog/gtsltsr/gtsltsr.crt
https://pki.goog/gsr4/GSR4.crt
Convert to PEMs

Store CA list - SSL_Store from PEMs[2]

CIPHER = "ECDHE-ECDSA-AES128-GCM-SHA256

sni_Name = mqtt.2030.ltsapis.goog

Create JVT mqtt.password from your google private key

If not have Qualcomm API bugs, MQTT will ok

[mocasrhey]

thank you! By JVT you mean JWT(JSON web token)?

[Wiz-IO]

yes, sorry
JWT
I use this:
https://github.com/GoogleCloudPlatform/google-cloud-iot-arduino/tree/master/src
Look at google git for C version

[mocasrhey]

Giving an update to the situation:

-Tried to connect to AWS cloud and wasn't successfull, converted the certificates with sharkssl and tried different combinations but nothing seems to work. The mqtt client connects but when it gets to the connect callback it gives "QAPI_NET_MQTT_CONNECT_FAILED_E", it looks like some sort of timeout operation happens.

-Tried with AT commands without success too.

Can't determine the causes, thought it was because of RTC not being up to date but concluded it's not, probably some bug with ssl and mqtt. So at this point im considering changing to another module.

[Wiz-IO]

that`s mean:

• key and cert files is wrong
• ssl config is wrong
• mqtt-client-id not exest
• Qualcomm ssl-mqtt ca_root bug...

Amazon-MQTT is very easy with ThreadX
https://www.linkedin.com/feed/update/urn:li:activity:6542386189587095552

[Thalhammer]

@mocasrhey How did you convert the certs ?

I might look into it but I never found the tool to convert the certs into the required format.

[Wiz-IO]

windows - 2 click - details - copy to file - export wizard .... to pem

[Thalhammer]

@Wiz-IO I know how to convert to pem, but the simcom modules use a different file format which is somehow property to their ssl stack.

[Wiz-IO]

AWS - MQTT
Amazon IoT Core - Manage
Create Thing and Certificates, download it and Activate
Policies Allow
Interact - get HTTPS URL for host name

module API
store KEY and CERT (from Amazon) to SSL store as QAPI_NET_SSL_CERTIFICATE_E and "filename"

MQTT SSL basic config....
for cert filename use filename from store
for ca_root file name use ..... string "empty" ... not NULL (workaround)

connect ... enjoy

ps: basic ( qapi ) format is pem (text)

[mocasrhey]

They use sharkssl, you need to convert the CA file to binary format, the client certificate and private key combine into one binary file too. I downloaded the tool here: https://realtimelogic.com/downloads/sharkssl/

you then go into the bin folder and you have the tools to do that.

[Wiz-IO]

https://github.com/Wiz-IO/framework-quectel/blob/master/threadx/bg96/SDK2/qapi/qapi_ssl.h#L456

[mocasrhey]

yes i noticed that too, i used that function too but still nothing

[Wiz-IO]

hints:
https://github.com/Wiz-IO/framework-quectel/blob/master/arduino/libraries/bg96/Ethernet/src/txMqtt.h

https://github.com/Wiz-IO/platformio-quectel-examples/blob/master/Arduino/bg96/bg96_amazon_mqtt/src/main.cpp

[mocasrhey]

Forgot to mention, when i atribute more than 1 cipher the module crashes at "qapi_Net_MQTT_Connect()" function and reboots.

[Wiz-IO]

crash is from other as NULL

ssl_cfg.cipher[] max is 8, can be cleared ( example for Azure not need ) - tested...
ssl-mqtt is tested from me with aws, google, azure, eclipse...

[mocasrhey]

yes, even with only 2 ciphers it crashes.
Did you configure all ssl_cfg fields or leaved something as NULL?

[Wiz-IO]

AZURE

[Wiz-IO]

AMAZON

[Wiz-IO]

GOOGLE

[mocasrhey]

UPDATE 2

• @Wiz-IO I used your delevopment platform for platformIO and successfully connected to AWS IoT. Your platform is portable to SIM7000E too.

Seems like that the error in my code is that the certificates aren't being stored on the variables, will try to fix that.

@Wiz-IO, @Thalhammer, thank you for your support, you guys are amazing 👍

[Wiz-IO]

👍 enjoy :)
if you find bugs ... please contact me

[felixback84]

Hello guys I have an ESP32 LilyGo T-Call SIM800 Series module with GSM and I want to send messages from it to GCP's IoT Core, for this I have used two TinyGSM libraries and
Google_Cloud_IoT_Core_JWT. Both do have been useful separately, that is, with TinyGSM I have managed to send messages via GSM to a server (using the examples it brings) and with Google_Cloud_IoT_Core_JWT I have managed to send MQTT messages via WiFi to GCP's IoT Core. However, the problem is when I try to do both at the same time. Since I always have the same error (the return returned is: Settings incorrect or missing a cyper for SSL) I have read this post and the one associated with it carefully and I understand that it is normal to use the Google_Cloud_IoT_Core_JWT library since it cannot establish a secure connection between the device and GCP, as I have seen and with I have investigated has something to do with the secure connection using an SSL certificate. Reading the comments of @Wiz-IO I have tried to intuit things, but nevertheless I have not been able to make it work, since although I know that he has succeeded, I cannot fully spin his suggestions on how to solve it, please do know What should I do? I ask you to help me, since it is important for a project of my company. For me everything happens in this part of the code.

I take this code extract from the related post since I have tried to do almost exactly the same thing, with the same results

Client* client = new TinyGsmClient(modem);
setupCloudIoT(client);

void setupCloudIoT(Client * _tinyGSMClient) {
    device = new CloudIoTCoreDevice(
    project_id, location, registry_id, device_id,
    private_key_str);
         
    netClient =  _tinyGSMClient;
    mqttClient = new MQTTClient(512);
    mqttClient->setOptions(180, true, 1000); // keepAlive, cleanSession, timeout
    mqtt = new CloudIoTCoreMqtt(mqttClient, netClient, device);
    mqtt->setUseLts(true);
    mqtt->startMQTT();
}

---

the return returned is: Settings incorrect or missing a cyper for SSL

Thank you in advance in case any of those present in these post have managed to solve it

@Wiz-IO I can have a more complete view of this piece of code or some further explanation, it is that especially in the final (begining in mqtt.secured()) part I do not know where the value of the variables comes from, many many tanks already:

#9 (comment)