BG95-M2 Problem with MQTT and TLS

Thomas_Allain · February 17, 2020, 2:59pm

Hello everyone,

I am trying to connect my BG95-M2 to Azure IoT Hub.

I followed the “Example of MQTT Operation with SSL”, and cannot open the TCP_context linked to my SSL_Context. Every time I tried to Open my TCP context, I got back +QMTOPEN: 0,-1.

My certifcates and keys are working when I connect to Azure IoT Hub via my computer, and the files within the BG95-M2 have no issue.

Here is my log (I did not add the AT+QFUPL commands as the .pem are already in the storage):

[2020-02-17 15:54:05:065_S:] AT+QMTCFG="ssl",1,1,2 

[2020-02-17 15:54:05:081_R:] OK
[2020-02-17 15:54:13:737_S:] AT+QSSLCFG="cacert",2,"cacert.pem"

[2020-02-17 15:54:13:752_R:] OK
[2020-02-17 15:54:19:479_S:] AT+QSSLCFG="clientcert",2,"client.pem"

[2020-02-17 15:54:19:479_R:] OK
[2020-02-17 15:54:25:709_S:] AT+QSSLCFG="clientkey",2,"user_key.pem"

[2020-02-17 15:54:25:725_R:] OK
[2020-02-17 15:54:33:949_S:] AT+QSSLCFG="seclevel",2,2 

[2020-02-17 15:54:33:964_R:] OK
[2020-02-17 15:54:39:272_S:] AT+QSSLCFG="sslversion",2,4

[2020-02-17 15:54:39:272_R:] OK
[2020-02-17 15:54:44:362_S:] AT+QSSLCFG="ciphersuite",2,0XFFFF

[2020-02-17 15:54:44:378_R:] OK
[2020-02-17 15:54:50:681_S:] AT+QSSLCFG="ignorelocaltime",2,1

[2020-02-17 15:54:50:696_R:] OK
[2020-02-17 15:55:00:468_S:] AT+QMTOPEN=1,"14.95.15.251",8883

[2020-02-17 15:55:00:483_R:] OK

[2020-02-17 15:55:03:346_R:] DSR:0 CTS:1 (RI:1) DCD:0

[2020-02-17 15:55:03:362_R:] +QMTOPEN: 1,-1

[2020-02-17 15:55:03:479_R:] DSR:0 CTS:1 (RI:0) DCD:0

I suppose there is something wrong with my SSL configuration as I can open a TCP port when I enable SSL and do not change the default configuration (obviously I can’t connect after that).

This Azure documentation tells us that we can use the MQTT protocol directly. Is it possible to use this and not the CA certificates to connect to Azure with the BG95-M2 ?
I tried it anyway but I am stuck at the connection step, where I got back +QMSTAT:2,3.

Thanks in advance,

Thomas

WizIO · February 17, 2020, 3:27pm

For Azure you need shared access signature ( SAS ) as MQTT user-password
PS: and with CA or without CA, without client certificates

Thomas_Allain · February 18, 2020, 6:59am

Okay but I would place this SAS token as the password during the connection step (as I do in the second part without using the CA certificates). But I am stuck right now at the Opening step when using the CA certificates

WizIO · February 18, 2020, 7:12am

sorry - my free Azure accaunt expire - I can`t test

shot is old test with BG96 ( same as BG95 )
https://media-exp1.licdn.com/dms/image/C5622AQGGHF9EPVLfQg/feedshare-shrink_8192/0?e=1584576000&v=beta&t=rEaKRkYjXoUcRAg3bCAHMmvHjfLy7kS2VimHJsPsF-0

Thomas_Allain · February 18, 2020, 7:20am

I found how to get the AT+QMTOPEN working. The problem was coming from the command AT+QSSLCFG="seclevel",2,2. When I remove it I can can get +QMTOPEN:1,0.

Now the connection command is sending me back ‘+QMTSTAT:1,3’. So, even with a CA certificates I need to use a username and SAS token ?
For example my command AT+QMTCONN:1,"test", needs to become 'AT+QMTCONN:1,“test”, ,.
With the password being the SAS token generated by Azure device explorer and the username being the CNAME of my domain + the deviceId + the api=version ?

WizIO · February 18, 2020, 7:31am

Thomas_Allain · February 18, 2020, 7:36am

I can’t use SAS token as my device use a Certicate Authority as Authentification Type.

If you use X.509 certificate authentication, SAS token passwords are not required

So, my command should still be AT+QMTCONN:1,"test", as I am using right now

WizIO · February 18, 2020, 7:43am

for X.509 must be CA + Client-Cert
Qualcomm kernel can not work only with client certificate, need CA
… connect direct to Quectel support and write this “issue”

WizIO · February 18, 2020, 7:47am

BTW: try for CA this
https://opensource.apple.com/source/Heimdal/Heimdal-172.29/lib/hx509/data/sf-class2-root.pem.auto.html

Thomas_Allain · February 18, 2020, 9:34am

There might be some misunderstanding in my part,

As I want to authenticate my connection using CA certificates, I need to configure the SSL context with AT+QSSLCFG="seclevel",2,2 .

When I try to open the network using the IP address (AT+QMTOPEN=1,"13.95.15.250",8883), I got +QMTOPEN:1,-1 (Failed to open network).
So, I found this issue explaining that I need to use the DNS hostname and not the IP address.

And when I try to use the DNS hostname (AT+QMTOPEN=1,"test.azure-devices.net",8883), I got back +QMTOPEN: 1,4 (Failed to parse domain name)

What can be the issue here ?

WizIO · February 18, 2020, 9:47am

AT+QMTOPEN make:

resolve host or ipaddr_addr(“IP”) // check error
socket connect // check error
if is used ssl, do handshake // check error … all from ssl
return result

Stephen.Li-Q · February 18, 2020, 12:14pm

Attach one successful log , hoping it is useful to you .

https://cnquectel-my.sharepoint.com/:f:/g/personal/america-fae_quectel_com/EhnjdN0lxvhCmWmwZnYE05YBTPnwgkqAZ2fhZut6p9VgJQ?e=x4gSpZ

pls set mqtt version as 3.1.1
at+qmtcfg=“version”,0,4

Rutger · March 9, 2021, 7:23am

Hi, I’m also trying to connect to an Azure IoT Hub using AT-commands. Only difference is that I’m using an EC-21 module. But the approach should be the same regardless of module right?

I tried to replicate the successful log from Stephen Li, but I still get “+QMTOPEN: X,-1” when I try to open a MQTT connection. The only thing that I’m not sure is identical to Stephens approach is how the CA certificate is presented to the module. I’m of course using the Baltimore CyberTrust Root that the IoT hub wants me to use, uploading it to the modules memory and configuring it using “+QSSLCFG”. But it still doesn’t work, I’ve tried a lot of different combinations for ending the lines: \n, \r, or \r\n. It would be very helpful to see how Stephen uploaded the certificate to the UFS.

Thankful for any help.