Bc66 QSSLOPEN, Error -9, connect to Google Mqtt

Hi,
I’m struggling with setting up MQTT connection to GCP, requiring a proper SSL connection.

SSL is configured and certificates uploaded.

AT+QSSLCFG=3,5,“seclevel”,2
AT+QSSLCFG=3,5,“cacert”,1906
AT+QSSLCFG=3,5,“clientcert”,1101
AT+QSSLCFG=3,5,“clientkey”,1706

Still opening a connection does not work.

AT+QSSLOPEN=3,5,“mqtt.googleapis.com”,8883
OK

+QSSLOPEN,3,5,-9

Any hints what might went wrong?
Any chance to verify that BC66 interprets/parses the certificate correctly.

Your help is much appreciated.

hi, chris5:
I suggest that you first use the MQTT.fx tool to test the correctness of the relevant CA certificates and the connectivity of the MQTT server.
Second, you should refer to our MQTT instruction manual for implementation procedures and read the instructions carefully.

Hi Herbert.pan-Q,
The certificates works using WiFi on raspberry pi, incl. subscribing to topics.

I checked internet connectivity using ntp sync on the BC66. So seems fine.

My main question on certificate upload is, can I simply copy and paste the content of the pem file. Including \n\r line breaks and intro statements like -----begin certificate? Or do linebreaks need to be stripped away.

Is there anyway to download the certificates to see if they are properly uploaded?

Thanks
Chris

Please refer to the following two manuals:
Quectel_LTE_Standard_FILE_Application_Note_V1.1.pdf (333.7 KB)
Quectel_BC66&BC66-NA_MQTT_Application_Note_V2.0.pdf (3.7 MB)

So I connected to google IoT Core via MQTT.fx.
See config:

mqtt_general_conf mqtt_credential_conf

I connected to BC66 via UART over USB - minicom. After AT commands there is still no SSL connection established. Neither the original PEM, nor removing line breaks etc. showed any effect.

The LTE STandard Reference is not really helpful as BC66 seems not to support AT+QFLST (it’s for BG96 right)

hi,
If you still have not successfully connected to Google MQTT server, I suggest you perform relevant operations on the Win10 system through the reference manual.

I connected successfully via MQTT.fx on my Win10 system. I added the exact certificates (PEM) format to BC66. No change.

I now built a dummy mosquitto server on GCP to test, if BC66 is actually sending anything to the cloud.

Looking at the wireshark output on the GCP:

a) QSSLOpen with “seclevel” = 0 leads to BC66 sending at least a TLS - Hello to the server
b) QSSLOpen with “seclevel” = 1,2 leads to BC66 sending no data at all to the server. It seems it gets stuck already before sending/requesting anything. Not sure how to debug this. Any hints?

hi, chris5:
I suggest you use Azure platform for debugging according to our manual. According to the current feedback, there are many exceptions in the CA certificate process when connecting to other MQTT servers.

Hi Herbert,
thanks for your pointers so far. I might have found the problem: I think the CIPHER Suite of GCP is too heavy for the BC66.

So after

openssl s_client -connect mqtt.googleapis.com -tls1_2

I receive the server certificate and the CIPHER Suite used is:

ECDHE-RSA-CHACHA20-POLY1305

No ciphersuite mentioned as secure or recommended on https://ciphersuite.info/ is actually supported by BC66 (all supported ones are rated weak).

Is there any chance, BC66 will upgrade the supported cipher list with a new firmware?

Hi @herbert.pan-Q,
I now shifted to using LWM2M. It works when using no encryption. Once I shift to LWM2M with PSK it does not work.

Is there a chance that the encryption on the chip is somehow faulty in general or is there a major configuration problem that can be easily resolved?

@WizIO I’m using olimex Nbiot module. Is there anything on the Nbiot module that could harm encryption.

Kind regards Chris.

for GOOGLE MQTT … google use “long ca” … look google documentation
https://cloud.google.com/iot/docs/how-tos/mqtt-bridge
ECDHE-ECDSA-AES128-GCM-SHA256 work for google
you need “your” google URL and for password you need private key + JWT token

NB-IoT - SSL handshake is about 8 … 15 seconds
BC66 kernel use lwIP - mbedTLS and this “combination” work for ALL clouds
I have no idea if ATCommands kernel can handle full SSL/TLS

Thank you for this suggestion. I downloaded the respective certificates and tested the connection to the different broker with MQTT.fx. All works fine.

Still, I receive

AT+QSSLOPEN=1,5,“mqtt.2030.ltsapis.goog”,8883,0
OK

+QSSLOPEN: 1,5,-9

Accordingly AT+QMTOPEN (after setting up according to BC66 manual) gives.

+QMTOPEN: 1,-1

So I can’t even send the client_id and use private key + JWT as the SSL connection can not be established.

Interestingly the message does not change, when I change the url to “xyz.com” and port to 3388. Once I switch back to seclevel,0 at least QSSLOPEN works, but connection is closed after some seconds.

If I change the “cacert” to random content or anything, than I receive the same error.

Is there any way to debug this? “debug”,4 also does not give any output.