Bc66 QSSLOPEN, Error -9, connect to Google Mqtt

Hi,
I’m struggling with setting up MQTT connection to GCP, requiring a proper SSL connection.

SSL is configured and certificates uploaded.

AT+QSSLCFG=3,5,“seclevel”,2
AT+QSSLCFG=3,5,“cacert”,1906
AT+QSSLCFG=3,5,“clientcert”,1101
AT+QSSLCFG=3,5,“clientkey”,1706

Still opening a connection does not work.

AT+QSSLOPEN=3,5,“mqtt.googleapis.com”,8883
OK

+QSSLOPEN,3,5,-9

Any hints what might went wrong?
Any chance to verify that BC66 interprets/parses the certificate correctly.

Your help is much appreciated.

hi, chris5:
I suggest that you first use the MQTT.fx tool to test the correctness of the relevant CA certificates and the connectivity of the MQTT server.
Second, you should refer to our MQTT instruction manual for implementation procedures and read the instructions carefully.

Hi Herbert.pan-Q,
The certificates works using WiFi on raspberry pi, incl. subscribing to topics.

I checked internet connectivity using ntp sync on the BC66. So seems fine.

My main question on certificate upload is, can I simply copy and paste the content of the pem file. Including \n\r line breaks and intro statements like -----begin certificate? Or do linebreaks need to be stripped away.

Is there anyway to download the certificates to see if they are properly uploaded?

Thanks
Chris

Please refer to the following two manuals：
Quectel_LTE_Standard_FILE_Application_Note_V1.1.pdf (333.7 KB)
Quectel_BC66&BC66-NA_MQTT_Application_Note_V2.0.pdf (3.7 MB)

So I connected to google IoT Core via MQTT.fx.
See config:

mqtt_ssl_conf699×485 32.5 KB

I connected to BC66 via UART over USB - minicom. After AT commands there is still no SSL connection established. Neither the original PEM, nor removing line breaks etc. showed any effect.

mqtt_bc66_cacert_11215×611 53 KB

mqtt_bc66_cacert_21192×438 47.6 KB

The LTE STandard Reference is not really helpful as BC66 seems not to support AT+QFLST (it’s for BG96 right)

hi,
If you still have not successfully connected to Google MQTT server, I suggest you perform relevant operations on the Win10 system through the reference manual.

hi, chris5:
I suggest you use Azure platform for debugging according to our manual. According to the current feedback, there are many exceptions in the CA certificate process when connecting to other MQTT servers.

Hi Herbert,
thanks for your pointers so far. I might have found the problem: I think the CIPHER Suite of GCP is too heavy for the BC66.

So after

openssl s_client -connect mqtt.googleapis.com -tls1_2

I receive the server certificate and the CIPHER Suite used is:

ECDHE-RSA-CHACHA20-POLY1305

No ciphersuite mentioned as secure or recommended on https://ciphersuite.info/ is actually supported by BC66 (all supported ones are rated weak).

Is there any chance, BC66 will upgrade the supported cipher list with a new firmware?

Hi @herbert.pan-Q,
I now shifted to using LWM2M. It works when using no encryption. Once I shift to LWM2M with PSK it does not work.

Is there a chance that the encryption on the chip is somehow faulty in general or is there a major configuration problem that can be easily resolved?

@WizIO I’m using olimex Nbiot module. Is there anything on the Nbiot module that could harm encryption.

Kind regards Chris.

Thank you for this suggestion. I downloaded the respective certificates and tested the connection to the different broker with MQTT.fx. All works fine.

Still, I receive

AT+QSSLOPEN=1,5,“mqtt.2030.ltsapis.goog”,8883,0
OK

+QSSLOPEN: 1,5,-9

Accordingly AT+QMTOPEN (after setting up according to BC66 manual) gives.

+QMTOPEN: 1,-1

So I can’t even send the client_id and use private key + JWT as the SSL connection can not be established.

Interestingly the message does not change, when I change the url to “xyz.com” and port to 3388. Once I switch back to seclevel,0 at least QSSLOPEN works, but connection is closed after some seconds.

If I change the “cacert” to random content or anything, than I receive the same error.

Is there any way to debug this? “debug”,4 also does not give any output.