nRF Project: MQTT v5 TLS Setup using MQTT_Publisher example #97431

yudi-khatri · 2025-10-13T03:06:00Z

yudi-khatri
Oct 13, 2025

Hi guys,

I have MQTT v5 up and running but I am currently trying to implement one-way TLS then mutual TLS once it's completed. I am not too sure what I am doing wrong, also I am pretty new to this.

I am including my files for your perusal. Most of it I have implemented from the NCS zephyr MQTT publisher example that is provided but using my own certs and the nRF5340DK board along with the W5500 controller board. Any help would be appreciated has I have been suck on this.

Full Details, please click

I always seem to get the following error in my serial terminal:

[00:00:00.307,952] <inf> eth_w5500: W5500 Initialized *** Booting nRF Connect SDK v3.1.1-e2a97fe2578a *** *** Using Zephyr OS v4.1.99-ff8f0c579eeb *** [00:00:00.310,180] <inf> app: Waiting for network interface to be up... [00:00:01.808,319] <inf> eth_w5500: ethernet@0: Link up [00:00:01.811,218] <inf> app: Network interface is up; starting DHCPv4... [00:00:09.826,812] <inf> net_dhcpv4: Received: 192.168.50.210 [00:00:11.312,957] <inf> app: IPv4 address: 192.168.50.210 [00:00:11.312,957] <inf> app: Adding CA certificate (size: 1550 bytes) [00:00:11.312,988] <inf> app: Successfully added CA certificate [00:00:11.313,018] <inf> app: tls_init: 0 <OK> [00:00:11.313,018] <inf> app: attempting to connect: [00:00:11.313,110] <inf> app: TLS configuration complete [00:00:11.313,262] <dbg> net_sock_tls: tls_alloc: (main): Allocated TLS context, 0x20002098 [00:00:11.313,720] <dbg> net_sock: zsock_socket_internal: (main): socket: ctx=0x200039e4, fd=4 [00:00:11.397,613] <err> net_sock_tls: Failed to parse CA certificate, err: -0x2180 [00:00:11.397,796] <dbg> net_sock: zsock_close_ctx: (main): close: ctx=0x200039e4, fd=4 [00:00:11.398,742] <inf> app: mqtt_connect: -22 <ERROR> [00:00:11.898,895] <inf> app: TLS configuration complete [00:00:11.899,108] <dbg> net_sock_tls: tls_alloc: (main): Allocated TLS context, 0x20002098 [00:00:11.899,536] <dbg> net_sock: zsock_socket_internal: (main): socket: ctx=0x20003a78, fd=4 [00:00:11.909,423] <err> net_sock_tls: Failed to parse CA certificate, err: -0x2180

The TCP dump output is below and my interpretation of it:

TCP connect succeeds.
The client app closes the socket before sending any TLS data (no ClientHello seen).
The broker, having seen an abrupt close/invalid record boundary, replies with a fatal decode_error alert and closes.

14:54:08.975175 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto TCP (6), length 44) 192.168.50.210.40075 > 192.168.50.215.8883: Flags [S], cksum 0x3f44 (correct), seq 1483820942, win 2730, options [mss 1460], length 0	0x0000: 4500 002c 0000 0000 4006 93d2 c0a8 32d2 E..,....@.....2.	0x0010: c0a8 32d7 9c8b 22b3 5871 4f8e 0000 0000 ..2...".XqO..... 0x0020: 6002 0aaa 3f44 0000 0204 05b4 0000 `...?D........ 14:54:08.976186 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)  192.168.50.215.8883 > 192.168.50.210.40075: Flags [S.], cksum 0xf3a3 (correct), seq 608907758, ack 1483820943, win 65535, options [mss 1460], length 0 0x0000: 4500 002c 0000 4000 4006 53d2 c0a8 32d7 E..,..@.@.S...2. 0x0010: c0a8 32d2 22b3 9c8b 244b 31ee 5871 4f8f ..2."...$K1.XqO. 0x0020: 6012 ffff f3a3 0000 0204 05b4 `........... 14:54:08.983478 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto TCP (6), length 40)  192.168.50.210.40075 > 192.168.50.215.8883: Flags [.], cksum 0x00b7 (correct), seq 1, ack 1, win 2730, length 0 0x0000: 4500 0028 0000 0000 4006 93d6 c0a8 32d2 E..(....@.....2. 0x0010: c0a8 32d7 9c8b 22b3 5871 4f8f 244b 31ef ..2...".XqO.$K1. 0x0020: 5010 0aaa 00b7 0000 0000 0000 0000 P............. 14:54:08.985019 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto TCP (6), length 40)  192.168.50.210.40075 > 192.168.50.215.8883: Flags [F.], cksum 0x00b6 (correct), seq 1, ack 1, win 2730, length 0 0x0000: 4500 0028 0000 0000 4006 93d6 c0a8 32d2 E..(....@.....2. 0x0010: c0a8 32d7 9c8b 22b3 5871 4f8f 244b 31ef ..2...".XqO.$K1. 0x0020: 5011 0aaa 00b6 0000 0000 0000 0000 P............. 14:54:08.985228 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)  192.168.50.215.8883 > 192.168.50.210.40075: Flags [.], cksum 0x0b60 (correct), seq 1, ack 2, win 65535, length 0 0x0000: 4500 0028 0000 4000 4006 53d6 c0a8 32d7 E..(..@.@.S...2. 0x0010: c0a8 32d2 22b3 9c8b 244b 31ef 5871 4f90 ..2."...$K1.XqO. 0x0020: 5010 ffff 0b60 0000 P....`.. 14:54:08.987085 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 47)  192.168.50.215.8883 > 192.168.50.210.40075: Flags [P.], cksum 0xbf4b (correct), seq 1:8, ack 2, win 65535, length 7 0x0000: 4500 002f 0000 4000 4006 53cf c0a8 32d7 E../..@.@.S...2. 0x0010: c0a8 32d2 22b3 9c8b 244b 31ef 5871 4f90 ..2."...$K1.XqO. 0x0020: 5018 ffff bf4b 0000 1503 0300 0202 32 P....K........2 14:54:08.987403 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)  192.168.50.215.8883 > 192.168.50.210.40075: Flags [F.], cksum 0x0b58 (correct), seq 8, ack 2, win 65535, length 0 0x0000: 4500 0028 0000 4000 4006 53d6 c0a8 32d7 E..(..@.@.S...2. 0x0010: c0a8 32d2 22b3 9c8b 244b 31f6 5871 4f90 ..2."...$K1.XqO. 0x0020: 5011 ffff 0b58 0000 P....X.. 14:54:08.996072 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto TCP (6), length 40)  192.168.50.210.40075 > 192.168.50.215.8883: Flags [R], cksum 0x61a6 (correct), seq 1483820944, win 0, length 0 0x0000: 4500 0028 0000 0000 4006 93d6 c0a8 32d2 E..(....@.....2. 0x0010: c0a8 32d7 9c8b 22b3 5871 4f90 0000 0000 ..2...".XqO..... 0x0020: 5004 0000 61a6 0000 0000 0000 0000 P...a......... 14:54:09.488659 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto TCP (6), length 44)  192.168.50.210.55445 > 192.168.50.215.8883: Flags [S], cksum 0x6c11 (correct), seq 765989248, win 2730, options [mss 1460], length 0 0x0000: 4500 002c 0000 0000 4006 93d2 c0a8 32d2 E..,....@.....2. 0x0010: c0a8 32d7 d895 22b3 2da8 1180 0000 0000 ..2...".-....... 0x0020: 6002 0aaa 6c11 0000 0204 05b4 0000 `...l......... 14:54:09.489540 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)  192.168.50.215.8883 > 192.168.50.210.55445: Flags [S.], cksum 0x1db8 (correct), seq 2464269840, ack 765989249, win 65535, options [mss 1460], length 0 0x0000: 4500 002c 0000 4000 4006 53d2 c0a8 32d7 E..,..@.@.S...2. 0x0010: c0a8 32d2 22b3 d895 92e1 c610 2da8 1181 ..2.".......-... 0x0020: 6012 ffff 1db8 0000 0204 05b4 `........... 14:54:09.496937 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto TCP (6), length 40)  192.168.50.210.55445 > 192.168.50.215.8883: Flags [.], cksum 0x2acb (correct), seq 1, ack 1, win 2730, length 0 0x0000: 4500 0028 0000 0000 4006 93d6 c0a8 32d2 E..(....@.....2. 0x0010: c0a8 32d7 d895 22b3 2da8 1181 92e1 c611 ..2...".-....... 0x0020: 5010 0aaa 2acb 0000 0000 0000 0000 P...*......... 14:54:09.498449 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto TCP (6), length 40)  192.168.50.210.55445 > 192.168.50.215.8883: Flags [F.], cksum 0x2aca (correct), seq 1, ack 1, win 2730, length 0 0x0000: 4500 0028 0000 0000 4006 93d6 c0a8 32d2 E..(....@.....2. 0x0010: c0a8 32d7 d895 22b3 2da8 1181 92e1 c611 ..2...".-....... 0x0020: 5011 0aaa 2aca 0000 0000 0000 0000 P...*......... 14:54:09.498635 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)  192.168.50.215.8883 > 192.168.50.210.55445: Flags [.], cksum 0x3574 (correct), seq 1, ack 2, win 65535, length 0 0x0000: 4500 0028 0000 4000 4006 53d6 c0a8 32d7 E..(..@.@.S...2. 0x0010: c0a8 32d2 22b3 d895 92e1 c611 2da8 1182 ..2.".......-... 0x0020: 5010 ffff 3574 0000 P...5t.. 14:54:09.498784 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 47)  192.168.50.215.8883 > 192.168.50.210.55445: Flags [P.], cksum 0xe95f (correct), seq 1:8, ack 2, win 65535, length 7 0x0000: 4500 002f 0000 4000 4006 53cf c0a8 32d7 E../..@.@.S...2. 0x0010: c0a8 32d2 22b3 d895 92e1 c611 2da8 1182 ..2.".......-... 0x0020: 5018 ffff e95f 0000 1503 0300 0202 32 P...._........2 14:54:09.498876 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)  192.168.50.215.8883 > 192.168.50.210.55445: Flags [F.], cksum 0x356c (correct), seq 8, ack 2, win 65535, length 0 0x0000: 4500 0028 0000 4000 4006 53d6 c0a8 32d7 E..(..@.@.S...2. 0x0010: c0a8 32d2 22b3 d895 92e1 c618 2da8 1182 ..2.".......-... 0x0020: 5011 ffff 356c 0000 P...5l.. 14:54:09.509352 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto TCP (6), length 40)  192.168.50.210.55445 > 192.168.50.215.8883: Flags [R], cksum 0x8e73 (correct), seq 765989250, win 0, length 0 0x0000: 4500 0028 0000 0000 4006 93d6 c0a8 32d2 E..(....@.....2. 0x0010: c0a8 32d7 d895 22b3 2da8 1182 0000 0000 ..2...".-....... 0x0020: 5004 0000 8e73 0000 0000 0000 0000 P....s........

# My prj.conf file contents # ---------- Logging ---------- CONFIG_LOG=y CONFIG_LOG_DEFAULT_LEVEL=3 CONFIG_PRINTK=y CONFIG_NET_LOG=y CONFIG_LOG_RUNTIME_FILTERING=y # Shell over UART + log commands CONFIG_SHELL=y CONFIG_SHELL_BACKEND_SERIAL=y CONFIG_SHELL_STACK_SIZE=4096 CONFIG_SHELL_CMD_BUFF_SIZE=128 CONFIG_LOG_CMDS=y # ---------- Peripherals ---------- CONFIG_SPI=y CONFIG_GPIO=y # ---------- Networking ---------- CONFIG_NETWORKING=y CONFIG_NET_L2_ETHERNET=y CONFIG_ETH_W5500=y CONFIG_NET_IPV4=y CONFIG_NET_IPV6=n CONFIG_NET_SOCKETS=y CONFIG_NET_TCP=y CONFIG_NET_UDP=y CONFIG_NET_DHCPV4=y CONFIG_NET_MGMT=y # Optional but handy: `net` shell commands CONFIG_NET_SHELL=y # ---------- MQTT over TCP ---------- CONFIG_MQTT_LIB=y CONFIG_MQTT_KEEPALIVE=60 CONFIG_MQTT_VERSION_5_0=y # ---------- MQTT with TLS ---------- CONFIG_MQTT_LIB_TLS=y CONFIG_NET_SOCKETS_SOCKOPT_TLS=y CONFIG_MBEDTLS=y CONFIG_MBEDTLS_BUILTIN=y CONFIG_MBEDTLS_TLS_LIBRARY=y CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_TLS_CREDENTIAL_FILENAMES=y CONFIG_MBEDTLS_HEAP_SIZE=65536 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=4096 # ---------- Froce TLS 1.2 ---------- CONFIG_MBEDTLS_TLS_VERSION_1_2=y CONFIG_MBEDTLS_TLS_VERSION_1_3=n # Enable specific ciphersuites CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y CONFIG_MBEDTLS_AES_C=y CONFIG_MBEDTLS_CIPHER_MODE_CBC=y CONFIG_MBEDTLS_CIPHER_MODE_CTR=y # ---------- Buffers / stacks ---------- CONFIG_NET_BUF_TX_COUNT=32 CONFIG_NET_BUF_RX_COUNT=32 CONFIG_NET_BUF_DATA_SIZE=256 CONFIG_MAIN_STACK_SIZE=16384 CONFIG_NET_RX_STACK_SIZE=6144 CONFIG_NET_TX_STACK_SIZE=6144 CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096 # ---------- Safety ---------- CONFIG_HW_STACK_PROTECTION=y CONFIG_STACK_SENTINEL=y CONFIG_INIT_STACKS=y CONFIG_THREAD_NAME=y CONFIG_STACK_USAGE=y # ---------- Other ---------- # Enable entropy CONFIG_ENTROPY_GENERATOR=y CONFIG_TEST_RANDOM_GENERATOR=y # Enable logging for TLS debugging CONFIG_MBEDTLS_DEBUG=y CONFIG_MBEDTLS_DEBUG_LEVEL=4 CONFIG_NET_SOCKETS_LOG_LEVEL_DBG=y CONFIG_MBEDTLS_LOG_LEVEL_DBG=y # Enable POSIX API and poll() support CONFIG_POSIX_API=y CONFIG_POLL=y

# config.h file contents #ifndef __CONFIG_H__ #define __CONFIG_H__ /*------------ Project Settings ------------*/ #define BROKER_IP "192.168.50.215" #define BROKER_NAME "mqtt.local" #ifdef CONFIG_MQTT_LIB_TLS /* MQTT over TLS */ #define BROKER_PORT 8883 #else /* MQTT over TCP */ #define BROKER_PORT 1883 #endif #define CLIENT_ID "nrf5340-w5500" #define SUB_TOPIC "test/topic" #define SUB_QOS MQTT_QOS_1_AT_LEAST_ONCE #define APP_CONNECT_TIMEOUT_MS2000 // Timeout for connect #define APP_SLEEP_MSECS500 // Sleep time between retries #define APP_CONNECT_TRIES10 // Number of tries to connect #define APP_MQTT_BUFFER_SIZE 128 // MQTT buffer size /* Set the following to 1 to enable the Hospital topic format */ #define APP_HOSPITAL_TOPIC0 /* These are the parameters for the HOSPITAL topic format */ #if APP_HOSPITAL_TOPIC #define HOSPITAL_DEVTYPE"scanner" #define HOSPITAL_DEVID"roomID001" #define HOSPITAL_EVENT"status" #define HOSPITAL_FORMAT"json" #endif #endif /* __CONFIG_H__ END*/

static const unsigned char ca_certificate_pem[] = { // Each line must end with \n "-----BEGIN CERTIFICATE-----\n" "MIIESzCCAjOgAwIBAgIUYXneSNYCndBI3LWnFUdhFWzEfZUwDQYJKoZIhvcNAQEL\n" "BQAwGjEYMBYGA1UEAwwPTXkgTVFUVCBSb290IENBMB4XDTI1MTAxMTIzNTY0MloX\n" "DTI2MTAxMTIzNTY0MlowFTETMBEGA1UEAwwKbXF0dC5sb2NhbDCCASIwDQYJKoZI\n" "hvcNAQEBBQADggEPADCCAQoCggEBAKcqb5tuu15M0ipQi8r9909f8uVZk+cg0vOX\n" "uPQDHBddeTD4xHRrsje8U+mLo28NOxgxtFM+2bdSU2V/2jejV0qMF932mJElDjbX\n" "gWwLjDBYJLMGg5FBzHPp5Ew+c5KiR5kmEacX3hz77NqGb/BmE5hEtLpuSunk7jJu\n" "ZHiUISK5TZa8jkThKEtJFamkDMdHX6faUrRdNDjWKISyfBInTeXgJ14T51rRTQXW\n" "XefNCco912GYQic5JvSony+s/iBadHcgbnzcWnex6zEMam297WQN1QIV1g5xM30C\n" "Jp1EL4jOyxjwLpOCjrKpvmf5ioZOQvZoAxb2FOgZj+CHa1yLx1MCAwEAAaOBjTCB\n" "ijAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAb\n" "BgNVHREEFDASggptcXR0LmxvY2FshwTAqDLXMB0GA1UdDgQWBBSqW00lCs6ssJu/\n" "dM/3AWa+QsyFMDAfBgNVHSMEGDAWgBRXuHDH/BkqZSKOCbXr5cNEE6j90zANBgkq\n" "hkiG9w0BAQsFAAOCAgEAJAkCMvRVRE893vLzoIDc9qWVfknLCfONclBwAMdG/NSs\n" "9serlROkf9CrS7bDmIEmZZbq5+L090TXRB8/8SXeF1f/8S7OfA1GTKVS/WNm1Tdx\n" "nNiCikMQscbgYxrLRXjDb+x6AvxkdvoDPlSUjmmNWO2oj5Lz6WGfJWnw11bgBiE2\n" "HZwUKBOzWbCOn9lzz8+mW/ES/LEYgCUXwe7FgOW3imPKecyh8n5nKJV+URI+Daqp\n" "oQSWPAJkY+QhtNBHNm0ry41sULukRZzsf1lTPPg/ZwVJmfkntPcPJdBJ+eUPStiu\n" "qRQ6+IgWW1oHsjWWjAZ4EyBLlGfJSz5ZmOuE9WQcGgEUYUiqw0Q6aHiFS9YYg+Iq\n" "OU0+wZQb+xeMpK4ziI3nckHkVLro6YsAYSbx8Sd0UGbivCAbG0NfUJSXW4MMPLhY\n" "Mg5AgTaMcstRuyevIwHrdVfXpq/3xyiYELy8oWDd3V0TdvhBReJawkpeHV1YC14B\n" "Zkxh+Bdz4+SDKrWzWLYdooPgMvkPpL8zCt7KhfWI/LT43UsloPhZBoasLxSzu2A4\n" "M/2t2rkSdVcs0qtTcqGMBwiIHj6z9zyWnS9Qxl06egmYI8lbKcknJNjAuDNzVkZz\n" "+RTM8uNQJr4kiOM0cP9ek53TfRrKdaiCvzqal/hyy6C5U6LBBCa9+9ehjhwiskc=\n" "-----END CERTIFICATE-----\n" };

[main.c](https://github.com/user-attachments/files/22876151/main.c)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

nRF Project: MQTT v5 TLS Setup using MQTT_Publisher example #97431

Uh oh!

{{title}}

Uh oh!

Replies: 0 comments

Select a reply

Uh oh!

nRF Project: MQTT v5 TLS Setup using MQTT_Publisher example #97431

Uh oh!

yudi-khatri Oct 13, 2025

Replies: 0 comments

yudi-khatri
Oct 13, 2025