Arm Mbed and Pelion Device Management support forum

Secure MQTT on an NRF52840

Hi all,

I’m new to Mbed, and am in the process of building a custom board based on the NRF52840 with a Cell modem. Ultimately I need to do secure MQTT publish and suscribe.

So far I bought up the cell modem, and I’ve been able to send a receive insecure MQTT messages. I’m now getting stuck incorporating TLS for securing MQTT. Here’s what I’ve done so far:

This is the error I’m seeing now:

mbedtls_ssl_handshake() failed: -0x2700 (-9984): X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

Here’s a snippet of the code (simplified, with error handling removed):

auto * socket = new TLSSocket;
socket->open(iface); // iface is a CellularContext
socket->set_client_cert_key(SSL_CERT_PEM, SSL_PRIV_KEY_PEM);
SocketAddress addr;
iface->gethostbyname("", &addr);
socket->connect(addr); // this is where the error occurs

MQTTClient client{socket};
MQTTPacket_connectData data = MQTTPacket_connectData_initializer;
// ...
// then the rest of the MQTT code is afterwards
// ...

I can see the SSL handshake is failing, but I don’t know why. I’ve been trying to read through all the MbedTLS docs that I can, but I’m having a hard time figuring out what needs to happen on an embedded target running Mbed OS instead of a desktop OS.

Some of the things I’ve run across that I’m wondering about is:

  • I’ve seen mention of clock time for SSL. Do I need to have time provided? Does that get done automatically, or do I have to manually add/configure something here?
    • There’s an NTP library that I’ve tested and can get the NTP timestamp from the CellularContext iface. Do I have to define my own mbedtls_platform_gmtime_r() function?
  • How about entropy? Do I need to specify an entropy source as well?

Any help is appreciated and thank you in advance!

Well, turns out I had a copy-paste error in my client certificates… Fixing that resolved all my issues.

1 Like