TLS/SSL connections to IoT hub while using MQTT Directly as a Device (Sierra Wireless HL7800, STM32) RRS feed

  • Question

  • Hi everyone,

    Apologies, but I have had to remove the reference links and my debug image because of limitations on my account which I am currently trying to verify. However, I want to get this post out there to get some feedback as soon as possible

    For a little context, I am trying to write a firmware application for an STM32 board that uses the Sierra Wireless HL7800 module to publish JSON data via MQTT. I am using Eclipse Paho's lowest level packet serialization library to create packets and send them over TCP (MQTTPacket: LINK) via the AT commands available to me. I have tested this functionality with a public test broker on Port 1883 - building a simple QOS 0 CONNECT, PUBLISH and DISCONNECT, and then sending the packets with a JSON data payload through a TCP connection opened on the HL module. 

    However, now I need to send this data to an Azure IoT hub interface instance. Azure specifies that you MUST use TLS/SSL when connecting and sending data via MQTT (LINK TO TSL/SSL AZURE DOCS). I cannot use the Azure C SDK because of some specific constraints on my embedded system, so I am following their steps to connect directly as a device (LINK TO AZURES SPECIFiCATION ABOUT USING MQTT DIRECTLY). This specifies building a MQTT CONNECT packet with specific parameters, including a PASSWORD field that is an SAS token which I have generated on the Azure side and is currently hard-coded in my firmware. 

    However, when attempting to repeat the same process as I did on the public broker (this time on Port 8883), I do not seem to be successfully receiving data, and actually do not receive any indication on Azure side that a CONNECT packet is being sent at all. I assumed that simply filling the CONNECT packet parameters as specified would work. 

    I do receive an acknowledgement that KTCPSND was successful and it was expecting more characters (+KTCP_NOTIF: 1,8) (just checked the command spec and I think I need to change my data length to not include the EOF pattern, but I think this issue is secondary since the KTCPSND command works fine when sending on to the public broker and it still throws me the same notification). 

    So my question is this: I am suspicious about Azure's TSL/SSL specification. Is the problem that simply adding the correct SAS token as the password to my CONNECT packet is not sufficient, and I also need to store the Root CA on my HL7800 using KCERTSTORE and then somehow tell it to reference the cert when opening a TCP connection? Or should it just be automatically be handling the TLS handshake when opening the TCP connection if I specify a cipher suite to use? I have tried explicitly specifying a Cipher Suite to use when configuring a the TCP connection to Azure, which doesn't seem to change anything. I have to admit to a certain level of ignorance about how all of this resolved in a more constrained environment.

    What is especially weird to me is that the unsolicited notifications from the HL7800 module indicated that a TCP connection is successfully opened (+KCNX_IND: 1,1,0 and +KTCP_IND: 1,1), data is successfully being sent (+KTCP_NOTIF: 1,8) but I am not receiving an indication of any sort of CONNECT packet on the Azure side (say, in the Operation Monitoring area). Surely it would tell me if there were a detected packet, even if the credentials were incorrect? Or is this not the case?

    Suggestions and input welcomed if you have similar experience working with IoT Hub and MQTT directly. I will be posting a similar discussion to Sierra Wireless' forum and am attempting to contact one of their engineers to talk about the TLS/SSL functionality on this particular module.



    Friday, July 19, 2019 6:34 PM

All replies

  • Hi Charles,

    Please add the links when you have your account validated, will definitely help us understand better the research you did already :).

    Let me try to help\guide you before that:

    "I also need to store the Root CA on my HL7800 using KCERTSTORE and then somehow tell it to reference the cert when opening a TCP connection?" 
    Normaly you need to add the Baltimore certificate on the device if it doesn't has it on KCERTSTORE. For example Azure IoT SDK C does it like this:

    "Surely it would tell me if there were a detected packet, even if the credentials were incorrect? Or is this not the case?"

    Please help us understand how you create the SAS Token? Do you use 
    Azure IoT Tools for Visual Studio Code and follow this process?

    1. Expand the AZURE IOT HUB DEVICES tab in the bottom left corner of Visual Studio Code.

    2. Right-click your device and select Generate SAS Token for Device.

    3. Set expiration time and press 'Enter'.

    4. The SAS token is created and copied to clipboard.


    Monday, July 22, 2019 3:09 PM
  • Hi Charles,

    Did you have a chance to look at questions above?

    Thank you.

    Friday, July 26, 2019 6:17 PM