MQTT over TLS with Bosch MQTT Library
응답
18. 1. 24 오전 7:09

Hi all,

I try to implement the MQTT client on the XDK by using the XDK MQTT API as described in the guideline: http://appropos.de/downloads/xdk/XDK_Guide_MQTT_v3.pdf

I want to secure the MQTT with TLS. I would like to know if the MQTT API provides apis for this. If not, could I apply the solution as decribed in the link below?

https://xdk.bosch-connectivity.com/community/-/message_boards/message/175090

Thanks for your support,

Regards,

0 (0 투표)
RE: MQTT over TLS with Bosch MQTT Library
응답
18. 1. 24 오후 2:59 as a reply to Calvin Cheng.

Hello Calvin,

the library itself does not inherently support MQTTS, as far as I know.

You could first try to modify the target scheme (from mqtt to mqtts). See chapter 4.3, code 8 for that. You can modify the string mqtt_broker_format and it should be detected automatically.

If that does not work, you can try to directly modify the internal socket using simplelink API. The socket that is used for sending messages via the MQTT API is accessible via the session, using the following code snippet

session.internalSession->socket.Handler


The Handler varible is a reference to the socket used for sending. You can manipulate the socket's settings before sending using simplelink socket API, which you can find in the header-file SDK > xdk110 > Libraries > WiFi > 3rd-party > TI > simplelink > include > socket.h.

The relevant function for this is sl_SetSockOpt(). The header-file also features some example code for using this as a comment above the function declaration.

The only other XDK related guide using simplelink API is the HTTPS guide, available in the XDK Community's Learning section, which also shows how to flash a certificate and setting a secure connection.

Please tell me if this was helpful, and do not hesitate to ask further questions.

Kind regards,
Franjo

 

0 (0 투표)
RE: MQTT over TLS with Bosch MQTT Library
응답
18. 1. 31 오전 10:23 as a reply to Franjo Stjepandic.

Hi Franjo,

Thanks so much for your support. I try to follow the guideline HTTPS that you suggested.

Everything seems work fine but I get the error 456 when calling function sl_Connect(). I would like to ask if the meaning of this error code. Is it the error code responsed from the github site? Do we have document for these information?

Regards,

 

0 (0 투표)
RE: MQTT over TLS with Bosch MQTT Library
응답
18. 1. 31 오후 4:33 as a reply to Calvin Cheng.
Hello Calvin,

I am glad that I could provide help on this topic. The error code -456 is indicating a bad certificate. Did you ensure to flash the root certificate from GitHub.com?

Also, there is indeed documentation about the error codes from the simple link TCP API listed in the implementation file socket.h.

You can find the implementation file socket.h when you browse to:

SDK > xdk110 > Libraries > WiFi > 3rd-party > TI > simplelink > include

Please let me know if that was helpful and feel free to ask if you have further questions.

Kind regards,
Franjo
0 (0 투표)
RE: MQTT over TLS with Bosch MQTT Library
응답
18. 2. 1 오전 2:43 as a reply to Franjo Stjepandic.

Hello Franjo,

Thanks for your help. I made a mistake when exporting the certificate. I choose the .crt fortmat instead of .cer or .der.

Now it works when I export the certificate as .der file.

Regards,

 

0 (0 투표)
RE: MQTT over TLS with Bosch MQTT Library
응답
18. 2. 1 오후 4:51 as a reply to Calvin Cheng.
Hello Calvin,

glad to hear that you were able to solve the issue.

Since your initial intention was to send MQTT data using TLS, for which I recommended the HTTPS guide as a reference for how to handle sockets using simplelink API, how is your progress on that? Are you still trying to achieve that?

Feel free to ask further questions on that and any other topic.

Kind regards,
Franjo
0 (0 투표)
RE: MQTT over TLS with Bosch MQTT Library
응답
18. 4. 5 오후 2:28 as a reply to Franjo Stjepandic.

Hi,

I try to achieve the same as requested in this thread: MQTT over TLS with MQTT Serval stack, XDK 3.3.0.

Starting from the sample SendDataOverMQTT I modified the code to connect over TLS.

The sample client can connect correctly to my mqtt broker without using TLS.

However when I switch to the port requiring TLS: 8883 I get an exception:

 INFO | XDK DEVICE 1: Setup Serval ...
 INFO | XDK DEVICE 1: Broker address: mqtt://xx.xx.xx.xx:8883
 INFO | XDK DEVICE 1: Return from setting date: 0
 INFO | XDK DEVICE 1: Return from setting path of root certificate: 0
 INFO | XDK DEVICE 1: Return from setting security method: 0
 INFO | XDK DEVICE 1: Return from setting cipher suite: 0
 INFO | XDK DEVICE 1: EventHandler Event : 2
 INFO | XDK DEVICE 1: Unhandled MQTT Event Number: 2
 INFO | XDK DEVICE 1: EventHandler Event : 4
 INFO | XDK DEVICE 1: Unhandled MQTT Event Number: 4

I tried the same using the url: mqtts://xx.xx.xx.xx:8883. But nothing changes.

My modifications of the function ConfigureSession of SendDataOverMQTT.c are as follows:

                printf("Broker address: %s\n\r", MqttBroker);

                // set event handler
                SessionPtr->onMqttEvent = EventHandler;

                // set Connect information
                SessionPtr->MQTTVersion = 3;
                SessionPtr->keepAliveInterval = 100;
                SessionPtr->cleanSession = true;
                SessionPtr->will.haveWill = false;

                StringDescr_T device_name_descr;
                StringDescr_wrap(&device_name_descr, DeviceName);
                SessionPtr->clientID = device_name_descr;

                StringDescr_T username_descr;
                StringDescr_wrap(&username_descr, Username);
                SessionPtr->username = username_descr;

                StringDescr_T password_descr;
                StringDescr_wrap(&password_descr, Password);
                SessionPtr->password = password_descr;

                // set publish and subscribe Topics as StringDescr
                StringDescr_wrap(&PublishTopicDescription, (const char *)PublishTopic);
                StringDescr_wrap(&(Topics[0]), PublishTopic);
                Qos[0] = MQTT_QOS_AT_MOST_ONE;

                // set publish and subscribe Topics as StringDescr
                StringDescr_wrap(&SubscribeTopicDescription, (const char *)SubscribeTopic);
                StringDescr_wrap(&(TopicsSubscribe[0]), SubscribeTopic);
                QosSubscribe[0] = MQTT_QOS_AT_MOST_ONE;

                // The datetime is required for certificate validation:
                SlDateTime_t dateTime;
                dateTime.sl_tm_day = (_u32)1;
                dateTime.sl_tm_mon = (_u32)1;
                dateTime.sl_tm_year = (_u32)2018;
                dateTime.sl_tm_hour = (_u32)0;
                dateTime.sl_tm_min = (_u32)0;
                dateTime.sl_tm_sec = (_u32)0;
                rc = sl_DevSet(
						SL_DEVICE_GENERAL_CONFIGURATION,
						SL_DEVICE_GENERAL_CONFIGURATION_DATE_TIME,
						sizeof(SlDateTime_t),
						(_u8 *)(&dateTime));
                printf("Return from setting date: %i\n\r", rc);

                //_i16 socketHandle = Session.internal.sl_Socket;
                //_i16 socketHandle = SessionPtr->internal.socket;
                SessionPtr->internal.socket = sl_Socket(SL_AF_INET,SL_SOCK_STREAM, SL_SEC_SOCKET);
                // Set path of root certificate
                rc = sl_SetSockOpt(
                		SessionPtr->internal.socket,
                        SL_SOL_SOCKET,
                        SL_SO_SECURE_FILES_CA_FILE_NAME,
                        CA_FILE_NAME,
						strlen (CA_FILE_NAME));
                printf("Return from setting path of root certificate: %i\n\r", rc);

                // Set security method
                SlSockSecureMethod secMethod;
                secMethod.secureMethod = SL_SO_SEC_METHOD_SSLv3_TLSV1_2;
                rc = sl_SetSockOpt(
                		SessionPtr->internal.socket,
					SL_SOL_SOCKET,
					SL_SO_SECMETHOD,
					(_u8 *)&secMethod,
					sizeof(secMethod));
                printf("Return from setting security method: %i\n\r", rc);

                // Set cipher suite SL_SEC_MASK_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
				SlSockSecureMask mask;
				mask.secureMask = SL_SEC_MASK_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256;
				rc = sl_SetSockOpt(SessionPtr->internal.socket,
						SL_SOL_SOCKET,
						SL_SO_SECURE_MASK,
						&mask, sizeof(mask));
                printf("Return from setting cipher suite: %i\n\r", rc);

How to fix this.

Thank you for your support.

 

--Christof

 

 

0 (0 투표)
RE: MQTT over TLS with Bosch MQTT Library
응답
18. 4. 6 오전 9:34 as a reply to Christof Strack.
Hello Christof,

Unfortunately, the method I proposed earlier in this thread does not work as expected.

During the function Mqtt_connect() , a new internal socket is allocated. Hence, providing a socket during configuration will not work, if Mqtt_connect() is subsequently called.

On top of that, the struct definition of the internal socket (Tcp_Socket_T ) is hidden in the ServalStack library since 3.3.1, at least there does not seem to be any reference to this type other than the one provided by PIp.h .

Under these circumstances, it seems not be possible to hack around the ServalStack MQTT implementation to apply TLS currently. I will request information on whether it is planned to add a security option to the MQTT library. I imagine that this will be the case at some point, given that there is already a security option for HTTP, which is also based on TCP.

Until then, I think it would be easier to use a third party library, such as MQTT Paho . Of course, this would require some more effort to implement, currently.

To test whether your security options (and the certificate) work, you can also try use sl_Connect to connect to the server with the already allocated socket. You can find more information on that function in the socket.h file or in the HTTPS guide.

Please tell me if this was helpful, and do not hesitate to ask further questions.

Kind regards,
Franjo
0 (0 투표)
RE: MQTT over TLS with Bosch MQTT Library
응답
18. 4. 6 오후 2:26 as a reply to Franjo Stjepandic.

HI Franjo,

 

thank you for the update.

I already created a device agent for the XDK on the basis of the PAHO lib. This agent communicates over MQTT/TLS.

Now I wanted to change the agent to only rely on the MQTT serval lib and replace the dependency of the PAHO lib.

The serval version of my agent can communicate over MQTT. As security/encryption is a must it requires TLS.

I would be interested when the MQTT serval lib could use MQTT over TLS.

 

--Christof

0 (0 투표)
RE: MQTT over TLS with Bosch MQTT Library
응답
18. 4. 9 오후 3:13 as a reply to Christof Strack.
Hello Christof,

I agree that TLS being a part of the MQTT library is a neccessity, since it is required for most real world applications.

I will request information on whether there is a plan in that regard currently, and post it here.

Kind regards,
Franjo
+1 (1 투표)