MQTT-TLS Azure iot-hub


#1

I am trying to connect to azure iot-hub over mqtt with the library mqtt-tls.
If the device is trying to connect is get a timeout.
When i use the same settings in a windows program mqtt-box i can make a connection.

Connecting to Losant with this library works fine, but i can’t get a connection with Azure.
My settings are oke (same setting in a other client works) so i think something in the library must give some trouble?
Anyone here who can solve this issue?


#2

@hirotakaster can jou help me with this issue?


#3

Why not use Particles Azure integration for getting data into Azure IOT?


#4

I now particle have a intergration with azure. In my oppinion a direct connection is always better. The device is capable to handle it, so why not use it? In this case particle cloud is a extra point of failure. I am not the first and i think not the last who want to connect to azure directly.


#5

There are memory limitations with using secure MQTT from what I understand.

The particle integration works around those issues.

I agree a direct connection is best but the Photon is limited when it comes to secure MQTT.


#6

As far as I can tell the particle integration can not handle cloud to device messaging?
This is what is making me pursue a direct connection.


#7

I think your right about that.


#8

Hi,

I am having the same problem. @aart, have you managed to solve this?

Thanks a lot,

Pavel


#9

No, but so far as i know for now you must upload the certificate to azure. I am working on a other project now, sow i didnt test if that solve the problem.
If you make progres, let me now…


#10

@aart After some struggle, it seems that no upload of a certificate to Azure is required, at least for authentication with SAS tokens (I have not tried X.509 certificates though).

The problem is that the library uses older MQTT3.1 version whereas Azure requires the newer 3.1.1 version of the protocol. Fortunately the differences are quite small and after some small code changes I have been able to connect to Azure and receive messages on a device.

Regards,
Pavel


#11

Hi guys @aart, sorry late response
Now I test TLS(mbedTLS TCP client) on 0.7.x and 0.8 Photon firmware, but it can’t work because of memory limitations “Memory allocation failed” happen when public key(RSA) negotiation. And I make memory shape version mbedTLS(just 61kbyte application size), but Memory allocation error always occur on RSA negotiation. I will try to resolve this error on new firmware, but it’s need a time.
Maybe 0.6.x firmware with MQTT-TLS simple application size is about 70-80kbyte, you could connect to the Azure like a @pavel.benes (I’m happy if you please send me a diff on github).


#12

Hi,

@hirotakaster this is pull request to my temporary fork of MQTT-TLS - https://github.com/pavel-benes/MQTT-TLS/pull/1. It would be great if this could eventually find its way into your repo to prevent unnecessary fragmentation.
Please note this is not a full implementation of MQTT 3.1.1 protocol, I believe some work is still needed to fully support UTF-8 strings, but it was enough to get me going.
I have tested this with 0.7.0-rc6 Electron firmware and have not seen any problems with memory. However I had problems with Azure certificates. The TLS connection could not be established, apparently because of unsupported signature algorithms in certificates from Azure SDK. In my opinion such root certificate is needed to properly verify the certificates issued by Azure Hub in SSL handshake. The certificate in the source code is parsed properly and SSL connection is established but the server side is not verified. This is potential security hole and also place for further improvements.

Best Regards,
Pavel


#13

@pavel.benes
Thank you for your great work!! I will check you source code and merge.
I don’t have Electron but Flash/RAM size is same with Photon, so I think maybe it work on my Photon.

This is potential security hole and also place for further improvements.

This problem is my fault. I updated the MQTT-TLS library(0.1.3) TLS negotiation algorithm to very simple for the application size, but I think that algorithm is not enough to the Azure Hub. I will update MQTT-TLS library for match to the Azure IoT Hub too.


#14

@hirotakaster
You are welcome, but it was your great work, that helped me to get MQTT with Azure working.

It would be great if you could add support for Azure certificates, hopefully the Electron’s memory will be enough.

I am now playing with Azure Iot Hub twin support. It goes reasonably well, however it seems that the Hub does not send updates to disconnected clients over MQTT and because of that, it is necessary to obtain the twin document using REST GET call during the device startup. For this, some SSL client is required; I am thinking about separating this functionality from MQTT class and expose it for other purposes. What do you think about this, would you accept pull request like this?

Thanks & Regards,

Pavel


#15

I am thinking about separating this functionality from MQTT class and expose it for other purposes.

yes, I think so too!!

At first I would implement TlsTcpClient to MQTT base network class and the application could use the TLS/MQTT/MQTT-TLS, but I could not it by Photon memory limits. Because of that I had no choice but to implement MQTT-TLS base class same to the TlsTcpClient(mbedTls) source code. This is frustrating problem…


#16

Hi, @pavel.benes

I update MQTT-TLS version 0.2.6 on Particle community library with merge your source code(I modify just a little bit).
And I checked iot.eclipse.org:8883 with let’s encrypt certificate on Photon firmware 0.6.3 works well :slight_smile:

Thank you!!
hirotakaster


#17

This is great thanks. I have setup our remote mqtt server with https which I want to pub/sub from.

Do I need to import a certificate into the photon code ? we also used LetsEncrypt to generate our SSL cert for our server, do I need to copy paste from that ? please could you point me which file this would be ?

thanks for the help on this !


#18

@grillo,
Yes, please check MQTT-TLS sample source code(a1-example.ino). This sample source code use LetEncrypt Root CA on LET_ENCRYPT_CA_PEM.
Maybe you could use the own MQTT server only change the server ip address on sample source code. If you use TLS with private key, check the a2-example.