Bc66 QSSLOPEN, Error -9, connect to Google Mqtt

chris5 · September 13, 2021, 7:49pm

Hi,
I’m struggling with setting up MQTT connection to GCP, requiring a proper SSL connection.

SSL is configured and certificates uploaded.

AT+QSSLCFG=3,5,“seclevel”,2
AT+QSSLCFG=3,5,“cacert”,1906
AT+QSSLCFG=3,5,“clientcert”,1101
AT+QSSLCFG=3,5,“clientkey”,1706

Still opening a connection does not work.

AT+QSSLOPEN=3,5,“mqtt.googleapis.com”,8883
OK

+QSSLOPEN,3,5,-9

Any hints what might went wrong?
Any chance to verify that BC66 interprets/parses the certificate correctly.

Your help is much appreciated.

herbert.pan-Q · September 15, 2021, 7:52am

hi, chris5:
I suggest that you first use the MQTT.fx tool to test the correctness of the relevant CA certificates and the connectivity of the MQTT server.
Second, you should refer to our MQTT instruction manual for implementation procedures and read the instructions carefully.

chris5 · September 15, 2021, 4:39pm

Hi Herbert.pan-Q,
The certificates works using WiFi on raspberry pi, incl. subscribing to topics.

I checked internet connectivity using ntp sync on the BC66. So seems fine.

My main question on certificate upload is, can I simply copy and paste the content of the pem file. Including \n\r line breaks and intro statements like -----begin certificate? Or do linebreaks need to be stripped away.

Is there anyway to download the certificates to see if they are properly uploaded?

Thanks
Chris

herbert.pan-Q · September 16, 2021, 12:54am

Please refer to the following two manuals：
Quectel_LTE_Standard_FILE_Application_Note_V1.1.pdf (333.7 KB)
Quectel_BC66&BC66-NA_MQTT_Application_Note_V2.0.pdf (3.7 MB)

chris5 · September 19, 2021, 6:16pm

So I connected to google IoT Core via MQTT.fx.
See config:

mqtt_general_conf mqtt_credential_conf

I connected to BC66 via UART over USB - minicom. After AT commands there is still no SSL connection established. Neither the original PEM, nor removing line breaks etc. showed any effect.

The LTE STandard Reference is not really helpful as BC66 seems not to support AT+QFLST (it’s for BG96 right)

herbert.pan-Q · September 22, 2021, 1:24am

hi,
If you still have not successfully connected to Google MQTT server, I suggest you perform relevant operations on the Win10 system through the reference manual.

chris5 · September 22, 2021, 8:08pm

I connected successfully via MQTT.fx on my Win10 system. I added the exact certificates (PEM) format to BC66. No change.

I now built a dummy mosquitto server on GCP to test, if BC66 is actually sending anything to the cloud.

Looking at the wireshark output on the GCP:

a) QSSLOpen with “seclevel” = 0 leads to BC66 sending at least a TLS - Hello to the server
b) QSSLOpen with “seclevel” = 1,2 leads to BC66 sending no data at all to the server. It seems it gets stuck already before sending/requesting anything. Not sure how to debug this. Any hints?

herbert.pan-Q · September 23, 2021, 3:14am

hi, chris5:
I suggest you use Azure platform for debugging according to our manual. According to the current feedback, there are many exceptions in the CA certificate process when connecting to other MQTT servers.

chris5 · September 23, 2021, 9:19am

Hi Herbert,
thanks for your pointers so far. I might have found the problem: I think the CIPHER Suite of GCP is too heavy for the BC66.

So after

openssl s_client -connect mqtt.googleapis.com -tls1_2

I receive the server certificate and the CIPHER Suite used is:

ECDHE-RSA-CHACHA20-POLY1305

No ciphersuite mentioned as secure or recommended on https://ciphersuite.info/ is actually supported by BC66 (all supported ones are rated weak).

Is there any chance, BC66 will upgrade the supported cipher list with a new firmware?

chris5 · September 27, 2021, 6:20pm

Hi @herbert.pan-Q,
I now shifted to using LWM2M. It works when using no encryption. Once I shift to LWM2M with PSK it does not work.

Is there a chance that the encryption on the chip is somehow faulty in general or is there a major configuration problem that can be easily resolved?

@WizIO I’m using olimex Nbiot module. Is there anything on the Nbiot module that could harm encryption.

Kind regards Chris.

WizIO · October 1, 2021, 5:30am

for GOOGLE MQTT … google use “long ca” … look google documentation
https://cloud.google.com/iot/docs/how-tos/mqtt-bridge
ECDHE-ECDSA-AES128-GCM-SHA256 work for google
you need “your” google URL and for password you need private key + JWT token

NB-IoT - SSL handshake is about 8 … 15 seconds
BC66 kernel use lwIP - mbedTLS and this “combination” work for ALL clouds
I have no idea if ATCommands kernel can handle full SSL/TLS

chris5 · October 1, 2021, 5:31pm

Thank you for this suggestion. I downloaded the respective certificates and tested the connection to the different broker with MQTT.fx. All works fine.

Still, I receive

AT+QSSLOPEN=1,5,“mqtt.2030.ltsapis.goog”,8883,0
OK

+QSSLOPEN: 1,5,-9

Accordingly AT+QMTOPEN (after setting up according to BC66 manual) gives.

+QMTOPEN: 1,-1

So I can’t even send the client_id and use private key + JWT as the SSL connection can not be established.

chris5 · October 1, 2021, 5:41pm

Interestingly the message does not change, when I change the url to “xyz.com” and port to 3388. Once I switch back to seclevel,0 at least QSSLOPEN works, but connection is closed after some seconds.

If I change the “cacert” to random content or anything, than I receive the same error.

Is there any way to debug this? “debug”,4 also does not give any output.