4

I try to connect the NodeMCU with the IBM Bluemix IoT Foundation. The unsecured MQTT connect works splendid and pushes data from a BMP180 to the cloud. However, when I start using TLS it won't connect to the broker. I tried to make a TLS connection with mqtt.fx and it works fine, it seems like the NodeMCU is the problem. If I run this code:

orgID="****"
BROKER = orgID..".<bluemix>"
BRPORT = 8883

CLIENTID = "d:"..orgID..":generic_esp:generic_esp_01"
print("ClientID: "..CLIENTID)
BRPWD  = "***********"

BRUSER = "use-token-auth"

local function publish()
   dofile('sensor.lc')
   m:publish('iot-2/evt/esp8266/fmt/json',payload,1,0, 
            function(conn) print('Payload published') end)
end

m = mqtt.Client(CLIENTID, 120, BRUSER, BRPWD)
c = false

print('MQTT Init')
m:on('offline', function(con) print('mqtt offline'); c = false end)
m:connect(BROKER, BRPORT, 1, function(conn) 
   print('MQTT connected: '..BROKER..':'..BRPORT) 
   c = true 
   publish()
end)

tmr.alarm(1, 1000, 1, function() 
    if not c then
      print('MQTT reconnecting')
      m:close()
      c = false
      m:connect(BROKER, BRPORT, 1, function(conn) print('.. MQTT reconnected: '..BROKER..':'..BRPORT); c = true end)
    end
    if c then
      publish()
    end
 end)

the esp8266 just prints "MQTT reconnecting" and can't connect. Is something wrong with my code or is TLS not fully supported in NodeMCU 1.4, yet?

trahloff
  • 607
  • 1
  • 9
  • 17
  • NodeMCU uses TLS 1.2, http://nodemcu.readthedocs.org/en/dev/en/modules/mqtt/#mqttclientconnect. – Marcel Stör Jan 27 '16 at 13:03
  • The first thing that comes to mind is a certificate chain validation issue i.e. NodeMCU (or Espressif SDK) doesn't trust the SSL cert or the CA cert it's signed with. 1. Try with a firmware that has debug enabled. 2. Try with a different MQTT broker (difficult if you work for IBM?). 3. Try with a *public* broker like https://www.cloudmqtt.com so others can verify your code. – Marcel Stör Jan 27 '16 at 13:10
  • If you have access to the Bluemix broker instance you can [turn on Java SSL debug messages](http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html). This should give you enough information to draw some conclusions. – Marcel Stör Jan 27 '16 at 16:20
  • I'll try to get access to it. One interesting tidbit: it seems like the Bluemix broker only accepts TLS with AES. Do you know if NodeMCU uses a different cipher like tripple DES or RC4 by any chance? EDIT: Can't access the broker for debugging. – trahloff Jan 28 '16 at 08:14
  • It does sound like its most likely a cert/cipher issue. Please note comments here about wildcard domains: https://docs.internetofthings.ibmcloud.com/reference/mqtt/index.html – Paul Slater Jan 28 '16 at 09:07
  • If you follow the link to the docs I posted first you'll get to http://j.mp/20uzJs1 which lists all cipher suites. – Marcel Stör Jan 28 '16 at 11:37
  • 1
    List support by IoTF is too long for a comment, but easily discovered with: `sslscan --no-failed --tls12 us.messaging.internetofthings.ibmcloud.com:443` – Paul Slater Jan 28 '16 at 12:00
  • I know which cipher suites are supported by IoTF, the problem is that I have no idea which suite is used by the nodemcu an have no way to influence which suite it chooses. – trahloff Jan 28 '16 at 13:33

1 Answers1

2

I've captured the your client hello in one of our test stands:

0000 16 03 02 00 33 01 00 00 2f 03 02 00 00 00 00 d0 0010 b1 a1 3a 07 1c 1b 3e f2 fc 03 91 d6 18 b5 ae 5d 0020 77 65 37 f5 07 10 45 d1 7e 1a ea 00 00 08 00 2f 0030 00 35 00 05 00 04 01 00

This looks like a TLS v1.1 client hello. Usually a client will hello with the "best" it can do and be negotiated downwards. In this case IoTF will simply close the connection because it only supports TLS 1.2. Please can you check that your device is setup to do TLS 1.2 ?

Paul Slater
  • 451
  • 3
  • 6