Micropython TLS connection to Mosquitto from Pico W

Hi. I now have a working Mosquitto TLS setup as detailed here in a previous forum post. However, I am now trying to integrate a Raspberry Pi Pico W running micropython into the same system, in order to ultimately connect a few environment sensors and switch a few relays. I can do what I need with user/password security, but have hit a brick wall trying to implement it with TLS. I have asked in, & researched through both the micropython and Raspberry Pi Pico forums - but nobody was able to give me any definitive answers other than explaining that TLS is a dark art. All internet searches were distressingly unforthcoming too.

So, my question now is is it actually even possible to get a secure TLS connection from a Pico W to my Mosquitto broker using micropython?

I’ve burnt days on this so far & now wonder if I have been wasting my time. If it is actually possible, then I’ll post my exact procedures and such code as I have currently, in the hope that someone can shed some light on what I’m doing wrong with my ssl_params & hopefully help me. If it is currently impossible, then I can forget TLS & move on to getting the rest of the project working. Thanks.

Hi Justin,

in theory (from the broker perspective) this should be possible. As the Mosquitto Broker does not make any differences between the clients connecting to it. For the broker every incoming TCP connection looks the same, independent on the client implementation behind it. So it might be better to ask in a more Pico W / miropython oriented forum as it’s more related to the client than to the server.

With TLS connections there are a lot of different problems you may get into. Especially with the kind of small devices, because sometimes part of the TLS stack is implemented in the firmware of the device network chip to offload it from CPU. And getting detailed information why a connection attempt failed is most times hard to get. But in general establishing a TLS connection the different steps may fail:

  1. On client connect the server will respond with his server CERT proving his identity. The client has to check this server CERT. Normal clients on Linux/Windows validate the CERT based on the internal Root CA. On embedded devices you normally have to put the CA required to validate the CERT into your device yourself. And the format of the CA may differ for differenc devices.
  2. Client and Server need to find an overlap in the allowed algorithms like hashing to be used. Normally servers support a bunch of different algorithms, but some may be not allowed as they might be considered insecure or required a minimum Key size. If server/client cannot find a match you may run into problems.
  3. If you are using client CERTs you need to put the CERT and key into you embedded device in the format supported by the client as well.

Hope this helps to give a better understanding, what the problem might be. Unfortunately I don’t have personal experience with the specific Pico W device myself.

I’ve been talking to the people over at the micropython forum on Github. Getting your TLS settings correct appears to be quite an interesting exercise, and there is a lot of out of date information out there. As soon as I crack it I will post my findings and hopefully we can get a current recipe that works easily.