Mqtt-tls using mbedtls fails to connect to broker

While using a Particle Boron with Particle OS 5.1 and mqtt-tls (using mbedtls), the node fails to connect to the mosquitto broker. However, other clients can successfully connect to the same broker using TLS. The mosquitto log indicates an error: 'OpenSSL Error[0]: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher.'

Upon inspecting the TCP dump, it was observed that the Client Hello from the Particle Boron does not include any Cipher Suite, unlike other clients which send a list of 10 Cipher Suites. This clearly indicates that the Particle Boron is not sending a Cipher Suite list.

Further investigation with mbedtls debug enabled revealed that the Particle Boron is actually sending an empty Cipher list named 'EMPTY_RENEGOTIATION_INFO_SCSV'.

Based on all this debug information, it appears there are issues with the TLS configuration using the mbedtls library. This could be related to the Particle Workbench not locating or opening the mbedtls_config.h file saying ‘cannot open source file “<mbedtls_config.h>” ’, whether it was directly copied into the src folder or added via the Particle Add Library feature.

I now seek assistance on resolving this problem.

mbedtls-debug
tcpdump-tls

Hi, if you feel like exploring, would you like to try DeviceOS 4.2?
I used MQTT on a project long time ago that used that DeviceOS version and had no issues connecting to MQTT brokers.

You can downgrade your DeviceOS with the tool:

Remember to also change the target DeviceOS version on Workbench before flashing again.

Also, you are installing the MQTT-TLS library using the Workbench command palette, correct?

Hi gusgonnet, Thanks for the reply.

I'll try 4.2 and update you again.
However, one of my colleagues used TLS with OS 5.1 successfully a year back, as shown in Particle dashboard and mosquitto log. But not sure which library and how he did that, as I don't have any detail info on it.

Without TLS and with 5.1/5.2 I don't have any issue. Only problem while using mbed-tls library. Is there any other TLS library supported/tested with Particle OS?

I tried installing the library through the Install Library tool, but could not compile. It gives Overflowed error, I've already opened a separate topic on that.

I tried using OS 4.2, still same, can not connect to the broker.

In the past, enabling debug helped me, it still was hard to find the root cause though.

file:

lib/MQTT-TLS/src/mbedtls/include/mbedtls/mbedtls_config.h

enable:

#define MBEDTLS_DEBUG_C

I'm not sure if I already mentioned this to you or not. If I did, please disregard.

I've already done that and attached the findings in my first post here, https://global.discourse-cdn.com/business7/uploads/particle/original/3X/f/b/fbdbe50a9324d887d0ee2ee4d17f997585ac2af7.png.

After that I can not understand where to go.

oh I remember that now. No clue there, sorry.