Hi all,
I’m new to Mbed, and am in the process of building a custom board based on the NRF52840 with a Cell modem. Ultimately I need to do secure MQTT publish and suscribe.
So far I bought up the cell modem, and I’ve been able to send a receive insecure MQTT messages. I’m now getting stuck incorporating TLS for securing MQTT. Here’s what I’ve done so far:
- I started with the mbed-os-example-cellular example from mbed-os-example-cellular - This is an example based on mbed-os cellular APIs… | Mbed, which worked great.
- I then added MQTT using the mbed-mqtt library from GitHub - ARMmbed/mbed-mqtt: Mbed-os MQTT and MQTT-SN library, based on Eclipse Paho project., which also worked great.
- My understanding is that this library should work as-is once I have a TLSSocket up.
- I then tried switching the TCPSocket to a TLSSocket, and now I’m getting errors.
This is the error I’m seeing now:
mbedtls_ssl_handshake() failed: -0x2700 (-9984): X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
Here’s a snippet of the code (simplified, with error handling removed):
auto * socket = new TLSSocket;
socket->open(iface); // iface is a CellularContext
socket->set_root_ca_cert(SSL_ROOT_CA_PEM);
socket->set_client_cert_key(SSL_CERT_PEM, SSL_PRIV_KEY_PEM);
SocketAddress addr;
iface->gethostbyname("my-mqtt-server-here.com", &addr);
addr.set_port(8883);
socket->connect(addr); // this is where the error occurs
MQTTClient client{socket};
MQTTPacket_connectData data = MQTTPacket_connectData_initializer;
client.connect(data);
// ...
// then the rest of the MQTT code is afterwards
// ...
I can see the SSL handshake is failing, but I don’t know why. I’ve been trying to read through all the MbedTLS docs that I can, but I’m having a hard time figuring out what needs to happen on an embedded target running Mbed OS instead of a desktop OS.
Some of the things I’ve run across that I’m wondering about is:
- I’ve seen mention of clock time for SSL. Do I need to have time provided? Does that get done automatically, or do I have to manually add/configure something here?
- There’s an NTP library that I’ve tested and can get the NTP timestamp from the CellularContext iface. Do I have to define my own
mbedtls_platform_gmtime_r()function?
- There’s an NTP library that I’ve tested and can get the NTP timestamp from the CellularContext iface. Do I have to define my own
- How about entropy? Do I need to specify an entropy source as well?
Any help is appreciated and thank you in advance!