Harmony 3 TLS connection

[bubshowlett]

Hi, I’m using harmony 3 with the ethernet starter kit 2 (PIC32MZ795F512L) and have a working stack, console etc. The mqtt connection works as expected using the unencrypted port 1883 and the default mqtt.eclipse.org broker, however when I try to create a encrypted connection on port 8883 I have the following error,

MQTT_NET_GLUE Info: Started Connect WMQTT_NET_GLUE Info: Connected Successfully WMQTT_NET_GLUE Info: Start TLS WMQTT_NET_GLUE Error: Start Encryption, occurred in func: WMQTT_NETGlue_Connect, line: 300,

Debugging the program, inside net_pres.c the code returns false inside NET_PRES_SocketEncryptSocket() at,

if(pSkt->provObject->fpInit == 0 || pSkt->provObject->fpOpen == 0 || pSkt->provObject->fpIsInited == 0) { // cannot start negotiation return false; }

I suspect I haven’t setup the TLS correctly in wolfssl, but enabling TLS 1.3 support causes build errors with HKDF not being defined.

Should I be enabling TLS support in wolfssl or is mqtt doing this for me?

[embhorn]

Hello @bubshowlett

I suspect that the application is overriding the port you've tried to configure. It can be set at runtime using the mqtt port command:

>mqtt port 8883
mqtt: broker port is: 8883
>mqtt start
MQTT pub/sub demo has been started
>MQTT Task - Client Start: QoS 0, broker mqtt.eclipse.org
MQTT Task - run message: WMQTT_NETGlue_Initialize, res: 0
MQTT Task - run message: MqttClient_Init, res: 0
MQTT Task - run message: MqttClient_SetDisconnectCallback, res: 0
WMQTT_NET_GLUE Info: Started Connect
WMQTT_NET_GLUE Info: Connected Successfully
WMQTT_NET_GLUE Info: Start TLS
WMQTT_NET_GLUE Info: Secure Connection Established
.
.
.

Let us know if that helps. Otherwise, could you please share the wolfMQTT and wolfSSL settings from configuration.h?

Thanks, wolfSSL Support

[bubshowlett]

Hi, Setting the port in the console is how I've been changing to tls, 1883 works, 8883 fails as above. I've investigated a bit further and I believe harmony / wolfssl is not setting the presentation layer correctly when configuring the project. mqtt_net_glue.c / mqtt_net_glue.h are not being included in the project and I had to copy these from the demo project

initialization.c netPresCfgs[] is missing .pProvObject_ss = &net_pres_EncProviderStreamServer0, .pProvObject_sc = &net_pres_EncProviderStreamClient0,

also net_pres_enc_glue.c and net_pres_enc_glue.h are empty, unlike the demo project

I've tried a new project using the PIC32MZ2048EFM and have the same issue.

I have also tried adding / copying the missing bits to the project, but then I have a lot of build errors.

Attached is the initialization.zip

[embhorn]

Hi @bubshowlett

TLS support also needs to be enabled and turned on.

One option is to use WMQTT_NET_GLUE_FORCE_TLS (can be set in Harmony Configurator). Else you have to enable it during run time with >mqtt tls 1.

PIC32INT IP Address: 192.168.86.42

>mqtt help
start: Starts an MQTT/MQTT-SN connection to broker
ping: Starts an MQTT/MQTT-SN connection to ping the broker
stop: Stops an ongoing MQTT connection
stat: Prints the current MQTT task state
port: Sets the MQTT broker connection port
qos: Sets the MQTT connection QoS value
kalive: Sets the MQTT connection Keep Alive interval, seconds
id: Sets the MQTT client Id
lwtmsg: Sets the MQTT Last Will and Testament message
message: Sets the message to be published
user: Sets the MQTT connection user name
pass: Sets the MQTT connection password
subscribe: Sets the MQTT subscribe topic name
publish: Sets the MQTT publish topic name
broker: Sets the MQTT broker to connect to
name: Sets the MQTT application name
tmo: Sets the MQTT connection wait reply timeout
tls: Sets the MQTT connection force TLS mode
auth: Sets the MQTT connection authentication mode
lwt: Sets the MQTT LWT mode
txbuf: Sets the MQTT connection TX buffer size
rxbuf: Sets the MQTT connection RX buffer size
clean: Sets the MQTT clean session flag
help: This help command
time: Gets the SNTP time
>mqtt tls
mqtt: force TLS is: 0
>mqtt port
mqtt: broker port is: 1883
>
>mqtt port 8883
mqtt: broker port is: 8883
>mqtt start
MQTT pub/sub demo has been started
>MQTT Task - Client Start: QoS 0, broker mqtt.eclipse.org
MQTT Task - run message: WMQTT_NETGlue_Initialize, res: 0
MQTT Task - run message: MqttClient_Init, res: 0
MQTT Task - run message: MqttClient_SetDisconnectCallback, res: 0
WMQTT_NET_GLUE Info: Started Connect
WMQTT_NET_GLUE Info: Connected Successfully
WMQTT_NET_GLUE Info: Start TLS
WMQTT_NET_GLUE Info: Secure Connection Established
MQTT Task - run message: MqttClient_NetConnect, res: 0
MQTT Task - run message: MqttClient_Connect, res: 0
MQTT Task - Connect Ack: Return Code 0, Session Present No
MQTT Task - run message: MqttClient_Subscribe, res: 0
MQTT Task - Subscribed Topic MQTT_NET_Client topic, Qos 0
MQTT Task - run message: MqttClient_Publish, res: 0
MQTT Task - Published Topic: MQTT_NET_Client topic
MQTT Task - Waiting for message. Retry: 1
MQTT Task - Received Topic: MQTT_NET_Client topic, Qos 0, Len 26
MQTT Task - Payload (0 - 26): MQTT NET Demo Test Message
MQTT Task - Message: Done
MQTT Task - published message was received. Exiting...
MQTT Task - run message: MqttClient_Unsubscribe, res: 0
MQTT Task - run message: MqttClient_Disconnect_ex, res: 0
MQTT Task - run message: MqttClient_NetDisconnect, res: 0
MQTT Task - MQTT cycle ended successfully!

Thanks, wolfSSL Support

[embhorn]

One other thing to check... Be sure you are using the latest code from Microchip. You can confirm using the Microchip Harmony 3 Content Manager.

[bubshowlett]

Hi, thanks for the help, but I think there are issues with the harmony configurator.

Starting a new project with the PIC32MZ2048EFM144 (Same a demo project) and copying all the wolfmqtt_demo settings harmony fails to include

1. mqtt_net_glue.c and mqtt_net_glue.h,
2. does not update initialization.c netPresCfgs[]
3. does not generate net_pres_enc_glue.c and net_pres_enc_glue.h

Adding the above from the demo causes the project to build ok, (I can't run / test this until I build a PCB with the PIC32MZ)

I then enabled TLS 1.3 support and after fixing errors with needing "HAVE_HKDF" by enabling various SHAxxx & HMAC options this now complies correctly.

I currently have a product that contains the PIC32MX795F512L and was hoping to update this, however all of the above complies to 489k so the PIC32MX is not usable with MQTT + TLS1.3 enabled.

With regards to the presentation layer not being updated, shall I continue this in the microchip forums as this is a harmony / microchip issue?

Thanks, Bubs

[embhorn]

Hi Bubs,

Yes, for the build issues related to Harmony ports, Microchip is the best source of knowledge.

As for the footprint, have you tried any of the following:

1. Limit supported protocol versions to only those required, for example only allowing TLS 1.3 connections.
2. Remove unnecessary library features at compile time - section 2.4.1 of the wolfSSL Manual.
3. Choose a limited set of cipher suites: a. Memory usage difference between RSA, ECC, PSK b. Choose smaller key sizes - section 4.3 of the wolfSSL manual.
4. Take advantage of hardware crypto if available - section 4.4 of the wolfSSL manual.
5. Use compiler and toolchain optimizations.
6. Decrease maximum SSL record size if you control both ends of the connection.

Thanks, wolfSSL Support

[bubshowlett]

Hi, Good point, I just enabled various things to make the build work, I have disabled various suites and can build the code without error, ready for testing tomorrow. With regards to the server, this will be aws iot and looking at their TLS webpage they recommend ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256

So I have limited the suites to SHA256, AES128 with GCM, HMAC with HKDF, ECC and RSA.

Is there a function in wolfssl to list the supported suites as I'm not a network guy and trying to tie all the options together is a bit of a head scratcher?

Thanks Shaun

[embhorn]

Hello Shaun,

Yes, in the wolfSSL library, wolfSSL_get_ciphers is used to print the currently enabled suites in the library. Here is an example: https://github.com/wolfSSL/wolfssl/blob/19ade820b08d15a2d8bcde74d6940c81dc827b8e/examples/client/client.c#L231

Using the example client:

$ ./examples/client/client -e
TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-CCM-SHA256:TLS13-AES128-CCM-8-SHA256:TLS13-SHA256-SHA256:TLS13-SHA384-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-PSK-AES256-GCM-SHA384:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES256-CBC-SHA384:DHE-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CCM:DHE-PSK-AES256-CCM:DHE-PSK-NULL-SHA384:DHE-PSK-NULL-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-CCM-8:ECDHE-ECDSA-AES256-CCM-8:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA256-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:DHE-RSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-NULL-SHA:ECDHE-PSK-NULL-SHA256:ECDHE-PSK-AES128-CBC-SHA256:PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:EDH-RSA-DES-CBC3-SHA

Kind regards, wolfSSL Support

Edit to mention that the above was using the --enable-all configuration option for wolfSSL.

[embhorn]

Closing this answered issue. Please feel free to reopen if there are other comments.