cancel
Showing results for 
Search instead for 
Did you mean: 

I'm trying to connect to Mosquitto Broker from an STM32 Azure RTOS environment using certificates that work from Paho MQTT clients

AShap.3
Associate III

My program, linked with Paho SDK C library, works fine connecting to a UNIX-hosted Mosquitto MQTT Broker. The required SSL/TLS connection involved self-signed certificate generation. Those same client certificate sets work with "MQTT Explorer" and MQTT-spy. The 3 required certificates in each client-set are:

  1. Server Certificate (CA),
  2. Client Certificate, and
  3. Client Key

they are generated using OpenSSL from the terminal and are all in PEM (text) x509 format and constitute the minimum certificate info. that must be built-in and handled by each client. The program I'm developing talks to my Mosquitto Broker configured with:

  • listener 8883
  • cafile ...path to.../ca.crt
  • certfile ...path to.../broker.crt
  • keyfile ...path.../broker.key
  • require_certificate true
  • use_identity_as_username true

Quite straight forward with Paho SDK. Clients connected - All working great!

I need to get this client program working on an STM32 board. I have ST.com MQTT example code running against mosquitto.org's test broker. I implemented a Mosquitto Broker on my LAN, to which all my Paho SDK programs connect, but the converted MQTT example code does not. (The Azure SDK is horribly complicated). I had my STM32 board client-program working with anonymous access over SSL/TLS with one certificate installed.

nx_secure_x509_certificate_initialize(trusted_certificate_ptr (UCHAR *)ca_crt_der, sizeof(ca_crt_der), NX_NULL, 0, NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
 
(returns TX_SUCCESS here)
 
nx_secure_tls_trusted_certificate_add(TLS_session_ptr, trusted_certificate_ptr);
 
(returns TX_SUCCESS here too)

That only introduces one of the 3 required certificates, with the PEM/x509 format converted to a C header hex-code array using:

openssl base64 -d -in ../ca/ca.crt -out ca.crt.der
xxd -i ca.crt.der > ca.crt.der.h

I cannot figure out how to properly extend this certificate introduction code to include all three (required) certificates needed for SSL/TLS connections.

I have tried adding one more "initialize"/"add" block:

nx_secure_x509_certificate_initialize(trusted_certificate_ptr (UCHAR *)client_crt_der, sizeof(client_crt_der), NX_NULL, 0, (UCHAR *)client_key_der, sizeof(client_key_der), NX_SECURE_X509_KEY_TYPE_EC_DER);
 
(Returns fail (0x18a) here)
 
nx_secure_tls_trusted_certificate_add(TLS_session_ptr, trusted_certificate_ptr);

here, the client_key_der was produced using:

openssl ec -inform pem -in client.key -outform der -out client.key.der
xxd -i client.key.der > client.key.der.h

I've also tried 3 separate "initialize"/"add" blocks without treating the client.key info as a different info-type i.e., the initial ca_crt_der (above) followed by these two "initialize"/"add" blocks:

nx_secure_x509_certificate_initialize(trusted_certificate_ptr, (UCHAR*)client_crt_der, (USHORT)sizeof(client_crt_der), NX_NULL, 0, NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
 
(returns TX_SUCCESS here)
 
nx_secure_tls_trusted_certificate_add(TLS_session_ptr, trusted_certificate_ptr);
 
(Returns fail (0x4d) here)
 
nx_secure_x509_certificate_initialize(trusted_certificate_ptr, (UCHAR*)client_key_der, (USHORT)sizeof(client_key_der), NX_NULL, 0, NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
nx_secure_tls_trusted_certificate_add(TLS_session_ptr, trusted_certificate_ptr);

I have no idea where to go from here. The Microsoft documentation does not seem to indicate how I should integrate the additional certificates. Do I need to create more space? Am I OK reusing the TLS_session_ptr and trusted_certificate_ptr structures, i.e. does the nx_secure_tls_trusted_certificate_add() copy the passed structure data or should I allocate new structure space? What else do I need to try?

I'm fumbling around like I'm flying a helicopter in the fog

Any help would be appreciated.

2 REPLIES 2
JVand.12
Associate II

Just in case you haven't, test the functioning of the Azure client without the security so at the least you know that it works. I have successfully used the insecure mode of the NetX mqtt client code, but not the secure mode. However, I used TLS code in other embedded environments and you must be aware of the cryptographic suite limitations. For example per https://learn.microsoft.com/en-us/azure/rtos/netx-duo/netx-secure-tls/chapter1 "ECDH-based ciphersuites are not supported. Use ECDHE instead." There are probably more limitations.

Guillaume K
ST Employee

nx_secure_tls_trusted_certificate_add() is for certificates of servers you are connecting to.

so you need to call it only with the server certificate.

For your own device certificate (client certificate) I think you should use nx_secure_tls_local_certificate_add().

I don't know if there are other functions to call if you want to connect to a TLS server with client certificate.

Another point: make sure to use binary DER certificates with netxduo functions. not PEM.

I see no need to use the openssl base64 conversion you mention:

openssl base64 -d -in ../ca/ca.crt -out ca.crt.der

If your certificates are in PEM format (clear text ASCII with "----- BEGIN ----" "------ END ----" headers/trailers ) you can convert them to binary DER with:

openssl x509 -inform PEM -in ../ca/ca.crt -outform DER -out ca.crt.der
xxd -i ca.crt.der > ca.crt.der.h