Arm Mbed OS support forum

Secure MQTT on an NRF52840

Hi all,

I’m new to Mbed, and am in the process of building a custom board based on the NRF52840 with a Cell modem. Ultimately I need to do secure MQTT publish and suscribe.

So far I bought up the cell modem, and I’ve been able to send a receive insecure MQTT messages. I’m now getting stuck incorporating TLS for securing MQTT. Here’s what I’ve done so far:

This is the error I’m seeing now:

mbedtls_ssl_handshake() failed: -0x2700 (-9984): X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

Here’s a snippet of the code (simplified, with error handling removed):

auto * socket = new TLSSocket;
socket->open(iface); // iface is a CellularContext
socket->set_root_ca_cert(SSL_ROOT_CA_PEM);
socket->set_client_cert_key(SSL_CERT_PEM, SSL_PRIV_KEY_PEM);
SocketAddress addr;
iface->gethostbyname("my-mqtt-server-here.com", &addr);
addr.set_port(8883);
socket->connect(addr); // this is where the error occurs

MQTTClient client{socket};
MQTTPacket_connectData data = MQTTPacket_connectData_initializer;
client.connect(data);
// ...
// then the rest of the MQTT code is afterwards
// ...

I can see the SSL handshake is failing, but I don’t know why. I’ve been trying to read through all the MbedTLS docs that I can, but I’m having a hard time figuring out what needs to happen on an embedded target running Mbed OS instead of a desktop OS.

Some of the things I’ve run across that I’m wondering about is:

  • I’ve seen mention of clock time for SSL. Do I need to have time provided? Does that get done automatically, or do I have to manually add/configure something here?
    • There’s an NTP library that I’ve tested and can get the NTP timestamp from the CellularContext iface. Do I have to define my own mbedtls_platform_gmtime_r() function?
  • How about entropy? Do I need to specify an entropy source as well?

Any help is appreciated and thank you in advance!

Well, turns out I had a copy-paste error in my client certificates… Fixing that resolved all my issues.

1 Like

Hi @bp_mbed,

in fact I have eactelly the same issue iwth NUCLEO and cellular

mbedtls_ssl_handshake() failed: -0x2700 (-9984): X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

–>
Well, turns out I had a copy-paste error in my client certificates… Fixing that resolved all my issues : hwo do you solved that and how do you generate the certificate :

Generate Certificate Authority

openssl req -new -x509 -days 365 -extensions v3_ca -keyout ca.key -out ca.crt -subj “/C=RO/ST=Home/L=Home/O=Noralsy/OU=Noralsy/CN=noralsy.com

Generate server keys and sign it

openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key -subj “/C=RO/ST=H/L=Home/O=MQTT Broker/OU=MQTT Broker/CN=127.0.0.1”
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365
openssl rsa -in server.key -out server.key

and i copy the ca.crt :

const char SSL_CA_PEM[] ="-----BEGIN CERTIFICATE-----\n"
“MIIDoDCCAoigAwIBAgIJAKNRr/+zuXqAMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNV\n”
“BAYTAlJPMQ0wCwYDVQQIDARIb21lMQ0wCwYDVQQHDARIb21lMRAwDgYDVQQKDAdO\n”
“b3JhbHN5MRAwDgYDVQQLDAdOb3JhbHN5MRQwEgYDVQQDDAtub3JhbHN5LmNvbTAe\n”
“Fw0yMDA0MDEwMjA4MDdaFw0yMTA0MDEwMjA4MDdaMGUxCzAJBgNVBAYTAlJPMQ0w\n”
“CwYDVQQIDARIb21lMQ0wCwYDVQQHDARIb21lMRAwDgYDVQQKDAdOb3JhbHN5MRAw\n”
“DgYDVQQLDAdOb3JhbHN5MRQwEgYDVQQDDAtub3JhbHN5LmNvbTCCASIwDQYJKoZI\n”
“hvcNAQEBBQADggEPADCCAQoCggEBAKk9x1Zrr/AnXFg8QEszgfdW1QM+s3aHaJpf\n”
“AbXZx6XhZvvploKb9UVNJfZOP5UrYkGYeUFr2VbZR70oMOycdn/wC6cvMGvrYTMR\n”
“LQ/GCOVONADj4DVMixjtY9WIMK39ciULFMY08qJhSWyOF8vEf4AAaWq5lUKlY9FS\n”
“5R6M1x8h7qPGmXTqxDdUQRKcgzd7cqm81aqIZp1D5rLut7vGK8SIJIbig8bGd+8t\n”
“SQ9ah0q4Ne7SfOO2CgowvWZaUTuMXLpJx++ZxOfYozZVj0oncVVpeifakSWDCupr\n”
“kwaE398InSbT8FMqMqkgZ1oqjHmyUXn5OLGeoVCH1ADR3Ka4D6UCAwEAAaNTMFEw\n”
“HQYDVR0OBBYEFHBcW02QHS1dJ9DgSD1eVz5Ds4Y0MB8GA1UdIwQYMBaAFHBcW02Q\n”
“HS1dJ9DgSD1eVz5Ds4Y0MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQAD\n”
“ggEBAIKLb+iCq0+9dxT4i6CpL/d9P8M6t4nlxsrtiiaexXjJzfsxLjTl3RiV70R4\n”
“N009PM3P/g/wFKeWpG9DGxP8YV1UIU97A5RuD/DitVMRnlwqkOniTjy4Jmh9F/yR\n”
“8e+3ez4TDv98c/LZ9JSpUTovePB8adtujNQ+ea5mWgRhgAmaN/0w3zCZ0g705X7j\n”
“5RItUX9FsJkCKPwYW+Vc6XfcN6X3BIRbUukYQI85hm3cbn5TP68ZY8txJL5t5s4d\n”
“7RNMEt6cyJVj3cO7Bjc9s/PZAyFxm3AGC23TtXdE+b/6pubCyU9zwsVI9K6R4WmU\n”
“AgCqMA0PAs8PxcwNSeHXjbxlegk=\n”
“-----END CERTIFICATE-----\n”;

thanx a lot