TX62-W MQTTS with HiveMQ | Telit Cinterion IoT Developer Community
April 24, 2023 - 4:52pm, 898 views
Hi,
I'm facing some difficulties with establishing a TLS encrypted MQTT connection to a HiveMQ broker.
I was able to successfully use the TX62-W module to establish a regular MQTT connection to the public broker by following the steps described in the command set document.
Now I want to connect to my cloud hosted HiveMQ isntance using MQTTS, without any luck.
I have previously successfully uploaded the required root certificate into the module certificate store using the TLS certificate tool, as well as all of the missing certificates in the chain of trust, just to make sure.
Using AT^SISS?, my configuration looks like this (user, password, and broker id are redacted):
^SISS: 1,"srvType","Mqtt"
^SISS: 1,"conId","1"
^SISS: 1,"address","mqtts:/user:password@broker.s2.eu.hivemq.cloud:8883"
^SISS: 1,"secopt","1"
^SISS: 1,"ipVer","4"
^SISS: 1,"cmd","unsubscribe"
^SISS: 1,"cleanSession","1"
^SISS: 1,"clientid","004401083574984"
^SISS: 1,"topicFilter","MQTTDemoListener"
^SISS: 1,"secsni","1"
^SISS: 1,"sniname","broker.s2.eu.hivemq.cloud"
Trying to open the connection with the AT^SISO=1,2 command results in the error:
^SIS: 1,0,76,"Certificate format error"
Any help on the topic is appreciated, if you have any questions please contact me :)
Hi,
I wanted to update this as I was now able to extract said root certificate and try this myself.
The connection works flawlessly, thank you very much for your exhaustive investigation and support Bartłomiej!
Reaching out to the HiveMQ support team they informed me that this is intended behaviour to support backward compatibility with older devices.
You can read more on this here:
https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
https://community.letsencrypt.org/t/production-chain-changes/150739
As I understand it, this extended support will end in early 2024, and hopefully only the ISRG root certificate will be needed at that point.
Best regards
Maximilian
Hi,
Thank you for the feedback.
That's what I suspected that it's because for some devices that are using this certificate it might be problematic or impossible to update them. From that perspective it would be good if the root certificate was valid for a long time, exceeding the suspected lifetime of such a device.
Regards,
Bartłomiej
Hey Bartłomiej,
I'm trying to investigate this topic again in greater detail.
Could you specify which fields of trust anchors is used by the module for the
REVISION 01.200
A-REVISION 01.000.00
firmware version?
I'd also be interested to know if it is possible to configure which field are used for TA validation
Best regards
Maximilian
Hello,
I don't have a document that specifies in detail which fields of the server certificate are actually checked and how. Anyway unlike in the desktop web browsers it is possible to use the outdated certificate which is helpful in this particular case.
Do you have any particular concerns related to this procedure?
This is not configurable.
Best regards,
Bartłomiej