Now we want to encrypt the MQTT connection that we set up in the previous exercise by implementing TLS. We will also cover how to verify the broker’s authenticity.
Recall from lesson 3 that TLS can provide :
Confidentiality (communication cannot be read by third parties)
Integrity (communication cannot be altered by third parties)
Authenticity (verifies the identity of the client and server).
You can read more about how TLS provides authentication, confidentiality, and integrity here.
In this exercise, we will learn how to encrypt communication between the device (MQTT client) and the MQTT broker. Then we will get the root certificate of the MQTT broker and flash it to the device, so it can use it to verify the broker’s authenticity. We will also show how to encrypt the communication between the MQTT broker and the other MQTT client (running on your smartphone).
We will be using the TLS credentials subsystem of the Zephyr socket API to store the credentials on the device.
CONFIG_TLS_CREDENTIALS: Enables the TLS credentials subsystem of the socket API, which we will use to store the credentials on the device.
CONFIG_MBEDTLS_RSA_C: Enables support for RSA cryptosystem in the mbedTLS library.
1.4 Increase the mbedTLS heap size, if building for the non-secure board target.
Open boards/nrf7002dk_nrf5340_cpuapp_ns.conf or boards/nrf5340dk_nrf5340_cpuapp_ns.conf, depending on the board you are using, and increase the mbedTLS heap size by changing the following Kconfig line
Copy
CONFIG_MBEDTLS_HEAP_SIZE=81920
Kconfig
1.5 Increase the MQTT keep alive time to 5 seconds, as the introduction of TLS will cause some overhead processing such as certificates verification etc.
Copy
CONFIG_MQTT_KEEPALIVE=5
Kconfig
1.6 Include the header file for the TLS credentials subsystem.
Copy
#include<zephyr/net/tls_credentials.h>
C
Note
If you changed the default values of CONFIG_MQTT_PUB_TOPIC and CONFIG_MQTT_PUB_TOPIC in the previous exercises, make sure to change them in the prj.conf of this exercise as well.
2. Obtain the certificate from the MQTT broker and convert it into a C header file, certificate.h.
Click on the lock besides the URL, go to Connection is secure and then Certificate is valid.
A Certificate Viewer should open. Go to Details and under Certificate Hierarchy select the top most certificate. Then select Export. Save the certificate in lesson4/wififund_less4_exer2 as ca_certificate.crt.
Note
Although the hostname redirects to mqtt-dashboard.com in the browser, the domain name has the same certificate chain as the MQTT broker.
2.2 Convert the certificate into a header file in C.
In this exercise, we will use a simple Python script that takes care of that for us. It is provided with the exercise and it will convert the certificate file into a header file certificate.h that will contain the converted certificate as a C string.
Open a new terminal, navigate to the script folder (lesson4/wififund_less4_exer2/script), and then run the Python script cert_to_header.py by running the following command with the name of the certificate we want to convert as an argument.
Copy
python.exe .\cert_to_header.py ca_certificate.crt
This will generate the converted certificate.h in the /src subdirectory
Be aware that the script assumes that the certificate is placed in the root directory of your exercise (lesson4/wififund_less4_exer2).
2.3 Include the newly generated certificate.h file in main.c
3.1 Define a macro for the security tag used to store the credential
Copy
#define MQTT_TLS_SEC_TAG 24
C
3.2 Store the credential on the device.
Now we want to store the certificate in the device using tls_credential_add()which as the following signature
tag – The security tag associated with the certificate, in our case MQTT_TLS_SEC_TAG.
type – The type of credential we are storing in the modem defined in tls_credential_type. To authenticate the server, we use TLS_CREDENTIAL_CA_CERTIFICATE, which is the root certificate of the server issues by the Certificate Authorities.
cred – The actual certificate, defined in the header file certificate.h, and included as ca_certificate[].
credlen – Length of the certificate.
Store the certificate after connection to Wi-Fi and before attempting to connect to the MQTT broker.
In the above code, we are populating the mqtt_sec_configmember of the MQTT client instance, which has the following members
The sec_tag_list array holds the security tag associated with the server certificate, that the MQTT library should use for authentication. We set the peer certificate verification to optional by setting the peer_verify field to TLS_PEER_VERIFY_OPTIONAL. We do not specify cipher_list, to allow the use of all cipher suites available in the system. We set the hostname field to the broker hostname, which is required for server authentication.
5. Update the file descriptor for the socket to use the TLS socket instead of a plain TCP socket.
In main(), change the following line
Copy
fds.fd = client.transport.tcp.sock;
C
To this line
Copy
fds.fd = client.transport.tls.sock;
C
6. Build the exercise and flash it on your board.
This exercise uses the PSA backend for storing the Wi-Fi credentials. Therefore, you must build with TF-M.
Board
Build with TF-M
nRF7002 DK
nrf7002dk_nrf5340_cpuapp_ns
nRF5340 DK + nRF7002 EK
nrf5340dk_nrf5340_cpuapp_ns
If necessary, connect to Wi-Fi by issuing the relevant shell commands, as we have done in the previous exercises.
On a successful connection to the Wi-Fi network and connection to the MQTT broker, you should see the same log output as we did in the previous exercise.
Testing
We will basically follow the same test procedure we used in Exercise 1, except this time we will have to configure the client to use TLS before connecting.
8. Configure the MQTT client to connect using TLS.
Set up the MQTT client on your phone to connect to the same MQTT broker that the board is connecting to.
In the menu at the bottom, go to the Connect tab and input the relevant information.
Name: Any name you choose
Host: The hostname of the MQTT broker: broker.hivemq.com
Port: The port number, in this case 8883, since we are connecting over TLS
TLS/SSL: Enable this option to connect over TLS
Enabling TLS/SSL will open a separate TLS menu, which should remain with the default settings.
Note
Your phone’s OS already has the necessary certificate stored so we don’t need to provide a certificate in the app.
Select the white Connect button at the bottom of the page and if the connection is successful, the following message will appear and the Connect button will turn into a Disconnect button.
9. Repeat steps 12 and 13 in the previous exercise to test the communication over TLS.
Add a new connection and set it up as shown in the illustration below. Note that the port number is changed to 8883. Lastly, click on Advanced, then Certificates.
11.2 Add the server root certificate.
Add the server (MQTT broker) root certificate (ca_certificate.crt) by clicking on Server Certificate (CA) and select the .crt file we downloaded in step 2.1.
Then click Back.
11.3 Subscribe to topic
In the new window, under Topic, input the topic that the device is publishing to, specified in the Kconfig CONFIG_MQTT_PUB_TOPIC. The default value is wifi/fund/board/publish/button/topic99.
Select Add, and then Back to go to the previous window where you can select Connect to connect to the broker.
12. Publish commands to the LED topic, to control the LEDs on the board.
When the connection to the broker has been established, we want to publish a command to the LED topic, to control the LED on the board.
In the panel to the right, scroll down to the bottom. Enter the topic name that the board is subscribed to (set by CONFIG_MQTT_SUB_TOPIC defined in prj.conf). The default value is wifi/fund/board/subscribe/led/topic99.
Select raw as the message type and input one of the predefined commands to control the LEDs.
LED 1: LED1ON / LED1OFF
LED 2: LED2ON / LED2OFF
Click Publish and observe that the LED on the device reflects the command you sent.
13. Monitor the buttons on the board.
We programmed the device to publish a message whenever a button was pressed and we have configured the MQTT broker connection to subscribe to the topic that the device is publishing to.
Try to press button 1 or 2 on your board and notice a message appearing on the left-side of the screen. If you expand all the sub-headings, you will find the message posted at the bottom stating which button was pressed on the device.
Nordic Developer Academy Privacy Policy
1. Introduction
In this Privacy Policy you will find information on Nordic Semiconductor ASA (“Nordic Semiconductor”) processes your personal data when you use the Nordic Developer Academy.
References to “we” and “us” in this document refers to Nordic Semiconductor.
2. Our processing of personal data when you use the Nordic Developer Academy
2.1 Nordic Developer Academy
Nordic Semiconductor processes personal data in order to provide you with the features and functionality of the Nordic Developer Academy. Creating a user account is optional, but required if you want to track you progress and view your completed courses and obtained certificates. If you choose to create a user account, we will process the following categories of personal data:
Email
Name
Password (encrypted)
Course progression (e.g. which course you have completely or partly completed)
Certificate information, which consists of name of completed course and the validity of the certificate
Course results
During your use of the Nordic Developer Academy, you may also be asked if you want to provide feedback. If you choose to respond to any such surveys, we will also process the personal data in your responses in that survey.
The legal basis for this processing is GDPR article 6 (1) b. The processing is necessary for Nordic Semiconductor to provide the Nordic Developer Academy under the Terms of Service.
2.2 Analytics
If you consent to analytics, Nordic Semiconductor will use Google Analytics to obtain statistics about how the Nordic Developer Academy is used. This includes collecting information on for example what pages are viewed, the duration of the visit, the way in which the pages are maneuvered, what links are clicked, technical information about your equipment. The information is used to learn how Nordic Developer Academy is used and how the user experience can be further developed.
2.2 Newsletter
You can consent to receive newsletters from Nordic from within the Nordic Developer Academy. How your personal data is processed when you sign up for our newsletters is described in the Nordic Semiconductor Privacy Policy.
3. Retention period
We will store your personal data for as long you use the Nordic Developer Academy. If our systems register that you have not used your account for 36 months, your account will be deleted.
4. Additional information
Additional information on how we process personal data can be found in the Nordic Semiconductor Privacy Policy and Cookie Policy.
Nordic Developer Academy Terms of Service
1. Introduction
These terms and conditions (“Terms of Use”) apply to the use of the Nordic Developer Academy, provided by Nordic Semiconductor ASA, org. nr. 966 011 726, a public limited liability company registered in Norway (“Nordic Semiconductor”).
Nordic Developer Academy allows the user to take technical courses related to Nordic Semiconductor products, software and services, and obtain a certificate certifying completion of these courses. By completing the registration process for the Nordic Developer Academy, you are agreeing to be bound by these Terms of Use.
These Terms of Use are applicable as long as you have a user account giving you access to Nordic Developer Academy.
2. Access to and use of Nordic Developer Academy
Upon acceptance of these Terms of Use you are granted a non-exclusive right of access to, and use of Nordic Developer Academy, as it is provided to you at any time. Nordic Semiconductor provides Nordic Developer Academy to you free of charge, subject to the provisions of these Terms of Use and the Nordic Developer Academy Privacy Policy.
To access select features of Nordic Developer Academy, you need to create a user account. You are solely responsible for the security associated with your user account, including always keeping your login details safe.
You will able to receive an electronic certificate from Nordic Developer Academy upon completion of courses. By issuing you such a certificate, Nordic Semiconductor certifies that you have completed the applicable course, but does not provide any further warrants or endorsements for any particular skills or professional qualifications.
Nordic Semiconductor will continuously develop Nordic Developer Academy with new features and functionality, but reserves the right to remove or alter any existing functions without notice.
3. Acceptable use
You undertake that you will use Nordic Developer Academy in accordance with applicable law and regulations, and in accordance with these Terms of Use. You must not modify, adapt, or hack Nordic Developer Academy or modify another website so as to falsely imply that it is associated with Nordic Developer Academy, Nordic Semiconductor, or any other Nordic Semiconductor product, software or service.
You agree not to reproduce, duplicate, copy, sell, resell or in any other way exploit any portion of Nordic Developer Academy, use of Nordic Developer Academy, or access to Nordic Developer Academy without the express written permission by Nordic Semiconductor. You must not upload, post, host, or transmit unsolicited email, SMS, or \”spam\” messages.
You are responsible for ensuring that the information you post and the content you share does not;
contain false, misleading or otherwise erroneous information
infringe someone else’s copyrights or other intellectual property rights
contain sensitive personal data or
contain information that might be received as offensive or insulting.
Such information may be removed without prior notice.
Nordic Semiconductor reserves the right to at any time determine whether a use of Nordic Developer Academy is in violation of its requirements for acceptable use.
Violation of the at any time applicable requirements for acceptable use may result in termination of your account. We will take reasonable steps to notify you and state the reason for termination in such cases.
4. Routines for planned maintenance
Certain types of maintenance may imply a stop or reduction in availability of Nordic Developer Academy. Nordic Semiconductor does not warrant any level of service availability but will provide its best effort to limit the impact of any planned maintenance on the availability of Nordic Developer Academy.
5. Intellectual property rights
Nordic Semiconductor retains all rights to all elements of Nordic Developer Academy. This includes, but is not limited to, the concept, design, trademarks, know-how, trade secrets, copyrights and all other intellectual property rights.
Nordic Semiconductor receives all rights to all content uploaded or created in Nordic Developer Academy. You do not receive any license or usage rights to Nordic Developer Academy beyond what is explicitly stated in this Agreement.
6. Liability and damages
Nothing within these Terms of Use is intended to limit your statutory data privacy rights as a data subject, as described in the Nordic Developer Academy Privacy Policy. You acknowledge that errors might occur from time to time and waive any right to claim for compensation as a result of errors in Nordic Developer Academy. When an error occurs, you shall notify Nordic Semiconductor of the error and provide a description of the error situation.
You agree to indemnify Nordic Semiconductor for any loss, including indirect loss, arising out of or in connection with your use of Nordic Developer Academy or violations of these Terms of Use. Nordic Semiconductor shall not be held liable for, and does not warrant that (i) Nordic Developer Academy will meet your specific requirements, (ii) Nordic Developer Academy will be uninterrupted, timely, secure, or error-free, (iii) the results that may be obtained from the use of Nordic Developer Academy will be accurate or reliable, (iv) the quality of any products, services, information, or other material purchased or obtained by you through Nordic Developer Academy will meet your expectations, or that (v) any errors in Nordic Developer Academy will be corrected.
You accept that this is a service provided to you without any payment and hence you accept that Nordic Semiconductor will not be held responsible, or liable, for any breaches of these Terms of Use or any loss connected to your use of Nordic Developer Academy. Unless otherwise follows from mandatory law, Nordic Semiconductor will not accept any such responsibility or liability.
7. Change of terms
Nordic Semiconductor may update and change the Terms of Use from time to time. Nordic Semiconductor will seek to notify you about significant changes before such changes come into force and give you a possibility to evaluate the effects of proposed changes. Continued use of Nordic Developer Academy after any such changes shall constitute your acceptance of such changes. You can review the current version of the Terms of Use at any time at https://academy.nordicsemi.com/terms-of-service/
8. Transfer of rights
Nordic Semiconductor is entitled to transfer its rights and obligation pursuant to these Terms of Use to a third party as part of a merger or acquisition process, or as a result of other organizational changes.
9. Third Party Services
To the extent Nordic Developer Academy facilitates access to services provided by a third party, you agree to comply with the terms governing such third party services. Nordic Semiconductor shall not be held liable for any errors, omissions, inaccuracies, etc. related to such third party services.
10. Dispute resolution
The Terms of Use and any other legally binding agreement between yourself and Nordic Semiconductor shall be subject to Norwegian law and Norwegian courts’ exclusive jurisdiction.