No server hello when using lwip

Hi everyone

I am looking into using a stm32 nucleo board as a mqtt client. However, when I try to connect to the cloud via lwIP-mqtt and mbedtls, the server responds to my client hello packet with no server hello, but just acknowledges it and then terminates the tcp connection immediately. Server name indication is enabled, so I guess that the problem is elsewhere. Which tls extensions are required to connect to the hivemq cloud?

I don’t have any issues when I am connecting to the broker from a PC using MQTT.fx…

Captured data from WireShark:

25	7.251157	192.168.70.111	46.137.47.218	TCP	60	52432 → 8883 [SYN] Seq=0 Win=2144 Len=0 MSS=536
26	7.285539	46.137.47.218	192.168.70.111	TCP	60	8883 → 52432 [SYN, ACK] Seq=0 Ack=1 Win=62727 Len=0 MSS=536
27	7.286621	192.168.70.111	46.137.47.218	TLSv1.2	204	Client Hello
28	7.320530	46.137.47.218	192.168.70.111	TCP	60	8883 → 52432 [ACK] Seq=1 Ack=151 Win=62577 Len=0
29	7.322115	46.137.47.218	192.168.70.111	TCP	60	8883 → 52432 [FIN, ACK] Seq=1 Ack=151 Win=62577 Len=0
30	7.324204	192.168.70.111	46.137.47.218	TCP	60	52432 → 8883 [FIN, ACK] Seq=151 Ack=2 Win=2143 Len=0

Contents of the client hello packet:

Frame 27: 204 bytes on wire (1632 bits), 204 bytes captured (1632 bits) on interface \Device\NPF_{7ADF031A-D4DD-4E83-B8B3-893EE9EF2751}, id 0
Ethernet II, Src: STMicroe_00:30:31 (00:80:e1:00:30:31), Dst: Sonicwal_05:80:14 (18:b1:69:05:80:14)
    Destination: Sonicwal_05:80:14 (18:b1:69:05:80:14)
    Source: STMicroe_00:30:31 (00:80:e1:00:30:31)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.70.111, Dst: 46.137.47.218
Transmission Control Protocol, Src Port: 52432, Dst Port: 8883, Seq: 1, Ack: 1, Len: 150
    Source Port: 52432
    Destination Port: 8883
    [Stream index: 0]
    [Conversation completeness: Complete, WITH_DATA (31)]
    [TCP Segment Len: 150]
    Sequence Number: 1    (relative sequence number)
    Sequence Number (raw): 6510
    [Next Sequence Number: 151    (relative sequence number)]
    Acknowledgment Number: 1    (relative ack number)
    Acknowledgment number (raw): 2873795109
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······AP···]
    Window: 2144
    [Calculated window size: 2144]
    [Window size scaling factor: -2 (no window scaling used)]
    Checksum: 0x0620 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
        [Time since first frame in this TCP stream: 0.035464000 seconds]
        [Time since previous frame in this TCP stream: 0.001082000 seconds]
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 26]
        [The RTT to ACK the segment was: 0.001082000 seconds]
        [iRTT: 0.035464000 seconds]
        [Bytes in flight: 150]
        [Bytes sent since last PSH flag: 150]
    TCP payload (150 bytes)
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 145
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 141
            Version: TLS 1.2 (0x0303)
            Random: ffffffff3cced6f97d20594b50e992495b8a682fb278714ec11a078b079f2308
                GMT Unix Time: Feb  7, 2106 07:28:15.000000000 Mitteleuropäische Zeit
                Random Bytes: 3cced6f97d20594b50e992495b8a682fb278714ec11a078b079f2308
            Session ID Length: 0
            Cipher Suites Length: 6
            Cipher Suites (3 suites)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 94
            Extension: server_name (len=56)
                Type: server_name (0)
                Length: 56
                Server Name Indication extension
                    Server Name list length: 54
                    Server Name Type: host_name (0)
                    Server Name length: 51
                    Server Name: 1081eb36f727481f914ddd664f1415d2.s1.eu.hivemq.cloud
            Extension: signature_algorithms (len=10)
                Type: signature_algorithms (13)
                Length: 10
                Signature Hash Algorithms Length: 8
                Signature Hash Algorithms (4 algorithms)
            Extension: supported_groups (len=6)
                Type: supported_groups (10)
                Length: 6
                Supported Groups List Length: 4
                Supported Groups (2 groups)
                    Supported Group: secp384r1 (0x0018)
                    Supported Group: secp256r1 (0x0017)
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            [JA3 Fullstring: 771,49196-49195-255,0-13-10-11-23,24-23,0]
            [JA3: 01bce1fdefb33276c4f5ec0b5cebed4c]

Any help is greatly appreciated!

Hi Robin,

welcome to our MQTT community!

  • Could you please share the your code / parameters used for the connection(s)?
  • Does your device/libraries require server certificate?

Thank you,
Dasha from HiveMQ Team