NodeMCU fails to connect to Bluemix with TLS

Question

I try to connect the NodeMCU with the IBM Bluemix IoT Foundation. The unsecured MQTT connect works splendid and pushes data from a BMP180 to the cloud. However, when I start using TLS it won't connect to the broker. I tried to make a TLS connection with mqtt.fx and it works fine, it seems like the NodeMCU is the problem. If I run this code:

orgID="****"
BROKER = orgID..".<bluemix>"
BRPORT = 8883

CLIENTID = "d:"..orgID..":generic_esp:generic_esp_01"
print("ClientID: "..CLIENTID)
BRPWD  = "***********"

BRUSER = "use-token-auth"

local function publish()
   dofile('sensor.lc')
   m:publish('iot-2/evt/esp8266/fmt/json',payload,1,0, 
            function(conn) print('Payload published') end)
end

m = mqtt.Client(CLIENTID, 120, BRUSER, BRPWD)
c = false

print('MQTT Init')
m:on('offline', function(con) print('mqtt offline'); c = false end)
m:connect(BROKER, BRPORT, 1, function(conn) 
   print('MQTT connected: '..BROKER..':'..BRPORT) 
   c = true 
   publish()
end)

tmr.alarm(1, 1000, 1, function() 
    if not c then
      print('MQTT reconnecting')
      m:close()
      c = false
      m:connect(BROKER, BRPORT, 1, function(conn) print('.. MQTT reconnected: '..BROKER..':'..BRPORT); c = true end)
    end
    if c then
      publish()
    end
 end)

the esp8266 just prints "MQTT reconnecting" and can't connect. Is something wrong with my code or is TLS not fully supported in NodeMCU 1.4, yet?

Answer 1

I've captured the your client hello in one of our test stands:

0000 16 03 02 00 33 01 00 00 2f 03 02 00 00 00 00 d0 0010 b1 a1 3a 07 1c 1b 3e f2 fc 03 91 d6 18 b5 ae 5d 0020 77 65 37 f5 07 10 45 d1 7e 1a ea 00 00 08 00 2f 0030 00 35 00 05 00 04 01 00

This looks like a TLS v1.1 client hello. Usually a client will hello with the "best" it can do and be negotiated downwards. In this case IoTF will simply close the connection because it only supports TLS 1.2. Please can you check that your device is setup to do TLS 1.2 ?