Nuvoton / Mbed OS NuMaker-mbed-OS-6-AWS-IoT-example

NuMaker connection with AWS IoT thru MQTT/HTTPS (Mbed OS 6)

Dependencies:   MQTT

README.md@46:871e0ad86526, 2021-09-03 (annotated)

Committer:
ccli8
Date:
Fri Sep 03 13:45:05 2021 +0800
Revision:
46:871e0ad86526
Parent:
27:b12add202b88
Child:
48:ffe503ce537d
Upgrade to Mbed OS 6



1.  Update to mbed-os 6.14

2.  Enable cmake

3.  Add new target

    -   NU_M2354

4.  Remove Mbed OS 5 only targets

    -   NU_PFM_M2351_NPSA_NS

    -   NU_M2354_NPSA_NS

5.  Update readme

Who changed what in which revision?

UserRevisionLine numberNew contents of line
ccli8 1:5ffad9f24d63 1 # Example for Connection with AWS IoT thru MQTT/HTTPS on Mbed OS
ccli8 1:5ffad9f24d63 2
ccli8 1:5ffad9f24d63 3 This is an example to demonstrate connection with [AWS IoT](https://aws.amazon.com/iot)
ccli8 1:5ffad9f24d63 4 on Nuvoton Mbed-enabled boards.
ccli8 1:5ffad9f24d63 5
ccli8 1:5ffad9f24d63 6 ## Supported platforms
ccli8 1:5ffad9f24d63 7 On Mbed OS, connection with AWS IoT requires Mbed TLS. It requires more than 64 KB RAM.
ccli8 1:5ffad9f24d63 8 Currently, the following Nuvoton Mbed-enalbed boards can afford such memory footprint:
ccli8 1:5ffad9f24d63 9 - [NuMaker-PFM-NUC472](https://developer.mbed.org/platforms/Nuvoton-NUC472/)
ccli8 1:5ffad9f24d63 10 - [NuMaker-PFM-M487](https://developer.mbed.org/platforms/NUMAKER-PFM-M487/)
ccli8 27:b12add202b88 11 - [NuMaker-IoT-M487](https://os.mbed.com/platforms/NUMAKER-IOT-M487/)
ccli8 46:871e0ad86526 12 - [NuMaker-M2354](https://os.mbed.com/platforms/NUMAKER-M2354/)
ccli8 1:5ffad9f24d63 13
ccli8 1:5ffad9f24d63 14 ## Access and manage AWS IoT Service
ccli8 1:5ffad9f24d63 15 To run the example, you need to register one [AWS account](https://aws.amazon.com/)
ccli8 1:5ffad9f24d63 16 to access and manage AWS IoT Service for your device to connect with.
ccli8 1:5ffad9f24d63 17 This [link](https://docs.aws.amazon.com/iot/latest/developerguide/what-is-aws-iot.html) gives detailed
ccli8 1:5ffad9f24d63 18 information about it.
ccli8 1:5ffad9f24d63 19
ccli8 1:5ffad9f24d63 20 1. Sign in to [AWS Management Console](https://aws.amazon.com/console/).
ccli8 1:5ffad9f24d63 21 1. Enter AWS IoT Service.
ccli8 1:5ffad9f24d63 22 1. In AWS IoT Service, create a thing.
ccli8 1:5ffad9f24d63 23 The Console may prompt you to also create a certificate and a policy. Skip for creating them later.
ccli8 1:5ffad9f24d63 24 1. In AWS IoT Service, create a policy. A workable example would be below.
ccli8 1:5ffad9f24d63 25 Note that you need to replace **REGION** and **ACCOUNT** to match your case.
ccli8 1:5ffad9f24d63 26
ccli8 1:5ffad9f24d63 27 <pre>
ccli8 1:5ffad9f24d63 28 {
ccli8 1:5ffad9f24d63 29 "Version": "2012-10-17",
ccli8 1:5ffad9f24d63 30 "Statement": [
ccli8 1:5ffad9f24d63 31 {
ccli8 1:5ffad9f24d63 32 "Effect": "Allow",
ccli8 1:5ffad9f24d63 33 "Action": "iot:Connect",
ccli8 1:5ffad9f24d63 34 "Resource": "arn:aws:iot:<b>REGION</b>:<b>ACCOUNT</b>:client/*"
ccli8 1:5ffad9f24d63 35 },
ccli8 1:5ffad9f24d63 36 {
ccli8 1:5ffad9f24d63 37 "Effect": "Allow",
ccli8 1:5ffad9f24d63 38 "Action": "iot:Subscribe",
ccli8 1:5ffad9f24d63 39 "Resource": ["arn:aws:iot:<b>REGION</b>:<b>ACCOUNT</b>:topicfilter/*"]
ccli8 1:5ffad9f24d63 40 },
ccli8 1:5ffad9f24d63 41 {
ccli8 1:5ffad9f24d63 42 "Effect": "Allow",
ccli8 1:5ffad9f24d63 43 "Action": ["iot:Publish", "iot:Receive"],
ccli8 1:5ffad9f24d63 44 "Resource": "arn:aws:iot:<b>REGION</b>:<b>ACCOUNT</b>:topic/*"
ccli8 1:5ffad9f24d63 45 },
ccli8 1:5ffad9f24d63 46 {
ccli8 1:5ffad9f24d63 47 "Effect": "Allow",
ccli8 1:5ffad9f24d63 48 "Action": ["iot:UpdateThingShadow", "iot:GetThingShadow", "iot:DeleteThingShadow"],
ccli8 1:5ffad9f24d63 49 "Resource": "arn:aws:iot:<b>REGION</b>:<b>ACCOUNT</b>:thing/*"
ccli8 1:5ffad9f24d63 50 }
ccli8 1:5ffad9f24d63 51 ]
ccli8 1:5ffad9f24d63 52 }
ccli8 1:5ffad9f24d63 53 </pre>
ccli8 1:5ffad9f24d63 54
ccli8 1:5ffad9f24d63 55 1. In AWS IoT Service, create a certificate. You would get 4 security credential files from it.
ccli8 1:5ffad9f24d63 56 Download them for later use.
ccli8 1:5ffad9f24d63 57 - AWS IoT's CA certificate
ccli8 1:5ffad9f24d63 58 - User certificate
ccli8 1:5ffad9f24d63 59 - User private key
ccli8 1:5ffad9f24d63 60 - User public key
ccli8 1:5ffad9f24d63 61
ccli8 1:5ffad9f24d63 62 After creating the certificate, do:
ccli8 1:5ffad9f24d63 63 1. Activate the certificate
ccli8 1:5ffad9f24d63 64 1. Attach the thing created above to the certificate
ccli8 1:5ffad9f24d63 65 1. Attach the policy created above to the certificate
ccli8 1:5ffad9f24d63 66
ccli8 1:5ffad9f24d63 67 ## Configure your device with AWS IoT
ccli8 1:5ffad9f24d63 68 Before connecting your device with AWS IoT, you need to configure security credential and
ccli8 1:5ffad9f24d63 69 protocol dependent parameters into your device. These configurations are all centralized in `main.cpp`.
ccli8 1:5ffad9f24d63 70
ccli8 1:5ffad9f24d63 71 ### Configure certificate into your device
ccli8 1:5ffad9f24d63 72 From above, you've got 4 security credential files: CA certificate and user certificate/private key/public key.
ccli8 1:5ffad9f24d63 73 Configure CA certificate, user certificate, and user private key into your device.
ccli8 1:5ffad9f24d63 74 User public key has been included in user certificate and is not used here.
ccli8 1:5ffad9f24d63 75 1. Replace CA certificate with downloaded from the Console.
ccli8 1:5ffad9f24d63 76 ```
ccli8 1:5ffad9f24d63 77 const char SSL_CA_CERT_PEM[] = "-----BEGIN CERTIFICATE-----\n"
ccli8 46:871e0ad86526 78 "Replace Me"
ccli8 1:5ffad9f24d63 79 ```
ccli8 1:5ffad9f24d63 80
ccli8 1:5ffad9f24d63 81 1. Replace user certificate with downloaded from the Console.
ccli8 1:5ffad9f24d63 82 ```
ccli8 1:5ffad9f24d63 83 const char SSL_USER_CERT_PEM[] = "-----BEGIN CERTIFICATE-----\n"
ccli8 46:871e0ad86526 84 "Replace Me"
ccli8 1:5ffad9f24d63 85 ```
ccli8 1:5ffad9f24d63 86
ccli8 1:5ffad9f24d63 87 1. Replace user private key with downloaded from the Console.
ccli8 1:5ffad9f24d63 88 ```
ccli8 1:5ffad9f24d63 89 const char SSL_USER_PRIV_KEY_PEM[] = "-----BEGIN RSA PRIVATE KEY-----\n"
ccli8 46:871e0ad86526 90 "Replace Me"
ccli8 1:5ffad9f24d63 91 ```
ccli8 1:5ffad9f24d63 92
ccli8 46:871e0ad86526 93 **NOTE:** The credential hard-coded in source code may get deactivated or deleted.
ccli8 4:dc23eeba885a 94 Use your own credential for connection with AWS IoT.
ccli8 4:dc23eeba885a 95
ccli8 1:5ffad9f24d63 96 ### Connect through MQTT
ccli8 1:5ffad9f24d63 97 To connect your device with AWS IoT through MQTT, you need to configure the following parameters.
ccli8 1:5ffad9f24d63 98
ccli8 1:5ffad9f24d63 99 1. Enable connection through MQTT.
ccli8 1:5ffad9f24d63 100 ```
ccli8 1:5ffad9f24d63 101 #define AWS_IOT_MQTT_TEST 1
ccli8 1:5ffad9f24d63 102 ```
ccli8 1:5ffad9f24d63 103
ccli8 1:5ffad9f24d63 104 1. Replace server name (endpoint). **Endpoint** has the following format and you just
ccli8 1:5ffad9f24d63 105 need to modify **IDENTIFIER** and **REGION** to match your case.
ccli8 1:5ffad9f24d63 106 <pre>
ccli8 1:5ffad9f24d63 107 #define AWS_IOT_MQTT_SERVER_NAME "<b>IDENTIFIER</b>.iot.<b>REGION</b>.amazonaws.com"
ccli8 1:5ffad9f24d63 108 </pre>
ccli8 1:5ffad9f24d63 109
ccli8 1:5ffad9f24d63 110 1. Server port number is fixed. Don't change it.
ccli8 1:5ffad9f24d63 111 ```
ccli8 1:5ffad9f24d63 112 #define AWS_IOT_MQTT_SERVER_PORT 8883
ccli8 1:5ffad9f24d63 113 ```
ccli8 1:5ffad9f24d63 114
ccli8 1:5ffad9f24d63 115 1. Replace **THINGNAME** to match your case. The **THINGNAME** is just the name of the thing you've created above.
ccli8 1:5ffad9f24d63 116 <pre>
ccli8 1:5ffad9f24d63 117 #define AWS_IOT_MQTT_THINGNAME "<b>THINGNAME</b>"
ccli8 1:5ffad9f24d63 118 </pre>
ccli8 1:5ffad9f24d63 119
ccli8 1:5ffad9f24d63 120 1. Replace **CLIENTNAME** to match your case. If you adopt the example policy above,
ccli8 1:5ffad9f24d63 121 you can modify it arbitrarily because the policy permits any client name bound to your account.
ccli8 1:5ffad9f24d63 122 <pre>
ccli8 1:5ffad9f24d63 123 #define AWS_IOT_MQTT_CLIENTNAME "<b>CLIENTNAME</b>"
ccli8 1:5ffad9f24d63 124 </pre>
ccli8 1:5ffad9f24d63 125
ccli8 1:5ffad9f24d63 126 AWS IoT MQTT protocol supports topic subscribe/publish. The example demonstrates:
ccli8 1:5ffad9f24d63 127 - Subscribe/publish with user topic
ccli8 1:5ffad9f24d63 128 - Subscribe/publish with reserved topic (starting with $) to:
ccli8 1:5ffad9f24d63 129 - Update thing shadow
ccli8 1:5ffad9f24d63 130 - Get thing shadow
ccli8 1:5ffad9f24d63 131 - Delete thing shadow
ccli8 1:5ffad9f24d63 132
ccli8 1:5ffad9f24d63 133 ### Connect through HTTPS
ccli8 1:5ffad9f24d63 134 To connect your device with AWS IoT through HTTPS, you need to configure the following parameters.
ccli8 1:5ffad9f24d63 135
ccli8 1:5ffad9f24d63 136 1. Enable connection through HTTPS.
ccli8 1:5ffad9f24d63 137 ```
ccli8 1:5ffad9f24d63 138 #define AWS_IOT_HTTPS_TEST 1
ccli8 1:5ffad9f24d63 139 ```
ccli8 1:5ffad9f24d63 140
ccli8 1:5ffad9f24d63 141 1. Replace server name (endpoint). **Endpoint** has the following format and you just
ccli8 1:5ffad9f24d63 142 need to modify **IDENTIFIER** and **REGION** to match your case.
ccli8 1:5ffad9f24d63 143 <pre>
ccli8 1:5ffad9f24d63 144 #define AWS_IOT_HTTPS_SERVER_NAME "<b>IDENTIFIER</b>.iot.<b>REGION</b>.amazonaws.com"
ccli8 1:5ffad9f24d63 145 </pre>
ccli8 1:5ffad9f24d63 146
ccli8 1:5ffad9f24d63 147 1. Server port number is fixed. Don't change it.
ccli8 1:5ffad9f24d63 148 ```
ccli8 1:5ffad9f24d63 149 #define AWS_IOT_HTTPS_SERVER_PORT 8443
ccli8 1:5ffad9f24d63 150 ```
ccli8 1:5ffad9f24d63 151
ccli8 1:5ffad9f24d63 152 1. Replace **THINGNAME** to match your case. The **THINGNAME** is just the name of the thing you've created above.
ccli8 1:5ffad9f24d63 153 <pre>
ccli8 1:5ffad9f24d63 154 #define AWS_IOT_HTTPS_THINGNAME "<b>THINGNAME</b>"
ccli8 1:5ffad9f24d63 155 </pre>
ccli8 1:5ffad9f24d63 156
ccli8 1:5ffad9f24d63 157 AWS IoT HTTPS protocol supports topic publish-only and RESTful API. The example demonstrates:
ccli8 1:5ffad9f24d63 158 - Publish to user topic
ccli8 1:5ffad9f24d63 159 - Publish to reserved topic (starting with $) to:
ccli8 1:5ffad9f24d63 160 - Update thing shadow
ccli8 1:5ffad9f24d63 161 - Get thing shadow
ccli8 1:5ffad9f24d63 162 - Delete thing shadow
ccli8 1:5ffad9f24d63 163 - RESTful API to:
ccli8 1:5ffad9f24d63 164 - Update thing shadow RESTfully through HTTPS/POST method
ccli8 1:5ffad9f24d63 165 - Get thing shadow RESTfully through HTTPS/GET method
ccli8 1:5ffad9f24d63 166 - Delete thing shadow RESTfully through HTTPS/DELETE method
ccli8 1:5ffad9f24d63 167
ccli8 1:5ffad9f24d63 168 ## Monitor the application
ccli8 46:871e0ad86526 169 If you configure your terminal program with **115200/8-N-1**, you would see output similar to:
ccli8 1:5ffad9f24d63 170
ccli8 1:5ffad9f24d63 171 **NOTE:** Make sure that the network is functional before running the application.
ccli8 1:5ffad9f24d63 172
ccli8 1:5ffad9f24d63 173 <pre>
ccli8 1:5ffad9f24d63 174 Starting AWS IoT test
ccli8 46:871e0ad86526 175 Using Mbed OS 6.14.0
ccli8 46:871e0ad86526 176 Connected to the network successfully. IP address: 192.168.8.105
ccli8 46:871e0ad86526 177 Opening network socket on network stack
ccli8 46:871e0ad86526 178 Opens network socket on network stack OK
ccli8 46:871e0ad86526 179 DNS resolution for a1fljoeglhtf61-ats.iot.us-east-2.amazonaws.com...
ccli8 46:871e0ad86526 180 DNS resolution for a1fljoeglhtf61-ats.iot.us-east-2.amazonaws.com: 3.129.252.104:8883
ccli8 1:5ffad9f24d63 181 </pre>
ccli8 1:5ffad9f24d63 182
ccli8 1:5ffad9f24d63 183 If you get here successfully, it means configurations with security credential are correct.
ccli8 1:5ffad9f24d63 184 <pre>
ccli8 46:871e0ad86526 185 Connecting with a1fljoeglhtf61-ats.iot.us-east-2.amazonaws.com:8883
ccli8 46:871e0ad86526 186 Connects with a1fljoeglhtf61-ats.iot.us-east-2.amazonaws.com:8883 OK
ccli8 46:871e0ad86526 187 Resolved MQTT client ID: 002E0051-013B87F3-00000021
ccli8 46:871e0ad86526 188 MQTT connects OK
ccli8 1:5ffad9f24d63 189 </pre>
ccli8 1:5ffad9f24d63 190
ccli8 1:5ffad9f24d63 191 MQTT handshake goes:
ccli8 1:5ffad9f24d63 192 <pre>
ccli8 1:5ffad9f24d63 193 MQTT connects OK
ccli8 1:5ffad9f24d63 194
ccli8 1:5ffad9f24d63 195 Subscribing/publishing user topic
ccli8 1:5ffad9f24d63 196 MQTT subscribes to Nuvoton/Mbed/+ OK
ccli8 1:5ffad9f24d63 197 Message to publish:
ccli8 1:5ffad9f24d63 198 { "message": "Hello from Nuvoton Mbed device" }
ccli8 1:5ffad9f24d63 199 MQTT publishes message to Nuvoton/Mbed/D001 OK
ccli8 46:871e0ad86526 200 MQTT receives message with subscribed Nuvoton/Mbed/D001...
ccli8 1:5ffad9f24d63 201 Message arrived: qos 1, retained 0, dup 0, packetid 1
ccli8 1:5ffad9f24d63 202 Payload:
ccli8 1:5ffad9f24d63 203 { "message": "Hello from Nuvoton Mbed device" }
ccli8 46:871e0ad86526 204 MQTT receives message with subscribed Nuvoton/Mbed/D001 OK
ccli8 1:5ffad9f24d63 205
ccli8 1:5ffad9f24d63 206 MQTT unsubscribes from Nuvoton/Mbed/+ OK
ccli8 1:5ffad9f24d63 207 Subscribes/publishes user topic OK
ccli8 1:5ffad9f24d63 208
ccli8 1:5ffad9f24d63 209 Subscribing/publishing UpdateThingShadow topic
ccli8 1:5ffad9f24d63 210 MQTT subscribes to $aws/things/Nuvoton-Mbed-D001/shadow/update/accepted OK
ccli8 1:5ffad9f24d63 211 MQTT subscribes to $aws/things/Nuvoton-Mbed-D001/shadow/update/rejected OK
ccli8 1:5ffad9f24d63 212 Message to publish:
ccli8 1:5ffad9f24d63 213 { "state": { "reported": { "attribute1": 3, "attribute2": "1" } } }
ccli8 1:5ffad9f24d63 214 MQTT publishes message to $aws/things/Nuvoton-Mbed-D001/shadow/update OK
ccli8 46:871e0ad86526 215 MQTT receives message with subscribed $aws/things/Nuvoton-Mbed-D001/shadow/update...
ccli8 1:5ffad9f24d63 216 Message arrived: qos 1, retained 0, dup 0, packetid 1
ccli8 1:5ffad9f24d63 217 Payload:
ccli8 46:871e0ad86526 218 {"state":{"reported":{"attribute1":3,"attribute2":"1"}},"metadata":{"reported":{"attribute1":{"timestamp":1630637720},"attribute2":{"timestamp":1630637720}}},"version":229,"timestamp":1630637720}
ccli8 46:871e0ad86526 219 MQTT receives message with subscribed $aws/things/Nuvoton-Mbed-D001/shadow/update OK
ccli8 1:5ffad9f24d63 220
ccli8 1:5ffad9f24d63 221 MQTT unsubscribes from $aws/things/Nuvoton-Mbed-D001/shadow/update/accepted OK
ccli8 1:5ffad9f24d63 222 MQTT unsubscribes from $aws/things/Nuvoton-Mbed-D001/shadow/update/rejected OK
ccli8 1:5ffad9f24d63 223 Subscribes/publishes UpdateThingShadow topic OK
ccli8 1:5ffad9f24d63 224
ccli8 1:5ffad9f24d63 225 Subscribing/publishing GetThingShadow topic
ccli8 1:5ffad9f24d63 226 MQTT subscribes to $aws/things/Nuvoton-Mbed-D001/shadow/get/accepted OK
ccli8 1:5ffad9f24d63 227 MQTT subscribes to $aws/things/Nuvoton-Mbed-D001/shadow/get/rejected OK
ccli8 1:5ffad9f24d63 228 Message to publish:
ccli8 1:5ffad9f24d63 229
ccli8 1:5ffad9f24d63 230 MQTT publishes message to $aws/things/Nuvoton-Mbed-D001/shadow/get OK
ccli8 46:871e0ad86526 231 MQTT receives message with subscribed $aws/things/Nuvoton-Mbed-D001/shadow/get...
ccli8 1:5ffad9f24d63 232 Message arrived: qos 1, retained 0, dup 0, packetid 1
ccli8 1:5ffad9f24d63 233 Payload:
ccli8 46:871e0ad86526 234 {"state":{"reported":{"attribute1":3,"attribute2":"1"}},"metadata":{"reported":{"attribute1":{"timestamp":1630637720},"attribute2":{"timestamp":1630637720}}},"version":229,"timestamp":1630637722}
ccli8 46:871e0ad86526 235 MQTT receives message with subscribed $aws/things/Nuvoton-Mbed-D001/shadow/get OK
ccli8 1:5ffad9f24d63 236
ccli8 1:5ffad9f24d63 237 MQTT unsubscribes from $aws/things/Nuvoton-Mbed-D001/shadow/get/accepted OK
ccli8 1:5ffad9f24d63 238 MQTT unsubscribes from $aws/things/Nuvoton-Mbed-D001/shadow/get/rejected OK
ccli8 1:5ffad9f24d63 239 Subscribes/publishes GetThingShadow topic OK
ccli8 1:5ffad9f24d63 240
ccli8 1:5ffad9f24d63 241 Subscribing/publishing DeleteThingShadow topic
ccli8 1:5ffad9f24d63 242 MQTT subscribes to $aws/things/Nuvoton-Mbed-D001/shadow/delete/accepted OK
ccli8 1:5ffad9f24d63 243 MQTT subscribes to $aws/things/Nuvoton-Mbed-D001/shadow/delete/rejected OK
ccli8 1:5ffad9f24d63 244 Message to publish:
ccli8 1:5ffad9f24d63 245
ccli8 1:5ffad9f24d63 246 MQTT publishes message to $aws/things/Nuvoton-Mbed-D001/shadow/delete OK
ccli8 46:871e0ad86526 247 MQTT receives message with subscribed $aws/things/Nuvoton-Mbed-D001/shadow/delete...
ccli8 1:5ffad9f24d63 248 Message arrived: qos 1, retained 0, dup 0, packetid 1
ccli8 1:5ffad9f24d63 249 Payload:
ccli8 46:871e0ad86526 250 {"version":229,"timestamp":1630637724}
ccli8 46:871e0ad86526 251 MQTT receives message with subscribed $aws/things/Nuvoton-Mbed-D001/shadow/delete OK
ccli8 1:5ffad9f24d63 252
ccli8 1:5ffad9f24d63 253 MQTT unsubscribes from $aws/things/Nuvoton-Mbed-D001/shadow/delete/accepted OK
ccli8 1:5ffad9f24d63 254 MQTT unsubscribes from $aws/things/Nuvoton-Mbed-D001/shadow/delete/rejected OK
ccli8 1:5ffad9f24d63 255 Subscribes/publishes DeleteThingShadow topic OK
ccli8 1:5ffad9f24d63 256
ccli8 1:5ffad9f24d63 257 MQTT disconnects OK
ccli8 1:5ffad9f24d63 258 </pre>
ccli8 1:5ffad9f24d63 259
ccli8 46:871e0ad86526 260 ## Trouble-shooting
ccli8 46:871e0ad86526 261 - Reduce memory footprint according to RFC 6066 TLS extension.
ccli8 46:871e0ad86526 262 We reduce memory footprint by:
ccli8 46:871e0ad86526 263 1. Enabling RFC 6066 max_fragment_length extension by configuing `my-tlssocket.tls-max-frag-len` to 4.
ccli8 46:871e0ad86526 264
ccli8 46:871e0ad86526 265 `my-tlssocket/mbed_lib.json`:
ccli8 46:871e0ad86526 266 ```json
ccli8 46:871e0ad86526 267 {
ccli8 46:871e0ad86526 268 "name": "my-tlssocket",
ccli8 46:871e0ad86526 269 "config": {
ccli8 46:871e0ad86526 270 "tls-max-frag-len": {
ccli8 46:871e0ad86526 271 "help": "Maximum fragment length value for the payload in one packet, doesn't include TLS header and encryption overhead. Is needed for constrained devices having low MTU sizes, Value 0 = disabled, 1 = MBEDTLS_SSL_MAX_FRAG_LEN_512, 2= MBEDTLS_SSL_MAX_FRAG_LEN_1024, 3 = MBEDTLS_SSL_MAX_FRAG_LEN_2048, 4 = MBEDTLS_SSL_MAX_FRAG_LEN_4096",
ccli8 46:871e0ad86526 272 "value": 0
ccli8 46:871e0ad86526 273 },
ccli8 46:871e0ad86526 274 }
ccli8 46:871e0ad86526 275 }
ccli8 46:871e0ad86526 276 ```
ccli8 5:2a70e217325f 277
ccli8 46:871e0ad86526 278 `mbed_app.json`:
ccli8 46:871e0ad86526 279 ```json
ccli8 46:871e0ad86526 280 "SOME_TARGET": {
ccli8 46:871e0ad86526 281 "my-tlssocket.tls-max-frag-len" : 4,
ccli8 46:871e0ad86526 282 },
ccli8 46:871e0ad86526 283 ```
ccli8 46:871e0ad86526 284
ccli8 46:871e0ad86526 285 1. Consistent with above, allocating these buffers with `MBEDTLS_SSL_IN_CONTENT_LEN`/`MBEDTLS_SSL_OUT_CONTENT_LEN` being larger than 4KiB/4KiB.
ccli8 46:871e0ad86526 286
ccli8 46:871e0ad86526 287 `mbedtls_user_config.h`:
ccli8 46:871e0ad86526 288 ```C++
ccli8 46:871e0ad86526 289 /* Maximum length (in bytes) of incoming plaintext fragments */
ccli8 46:871e0ad86526 290 #define MBEDTLS_SSL_IN_CONTENT_LEN 8192
ccli8 46:871e0ad86526 291
ccli8 46:871e0ad86526 292 /* Maximum length (in bytes) of outgoing plaintext fragments */
ccli8 46:871e0ad86526 293 #define MBEDTLS_SSL_OUT_CONTENT_LEN 8192
ccli8 46:871e0ad86526 294 ```
ccli8 46:871e0ad86526 295
ccli8 46:871e0ad86526 296 **NOTE:**: With `my-tlssocket.tls-max-frag-len` being 4, `MBEDTLS_SSL_IN_CONTENT_LEN`/`MBEDTLS_SSL_OUT_CONTENT_LEN` must be larger than 4KiB/4KiB.
ccli8 46:871e0ad86526 297 We enlarge them to 8KiB/8KiB because TLS handshake also uses these buffers and may require larger.
ccli8 26:e5cfc2628e84 298
ccli8 26:e5cfc2628e84 299 But this approach is risky because:
ccli8 26:e5cfc2628e84 300 1. AWS IoT doesn't support RFC 6066 TLS extension yet.
ccli8 46:871e0ad86526 301 1. TLS handshake may need larger I/O buffers than configured.
ccli8 26:e5cfc2628e84 302
ccli8 26:e5cfc2628e84 303 If you doubt your trouble is caused by this configuration, disable it by:
ccli8 46:871e0ad86526 304 1. Removing the line `my-tlssocket.tls-max-frag-len` in `mbed_app.json`.
ccli8 46:871e0ad86526 305 1. Commenting out `MBEDTLS_SSL_IN_CONTENT_LEN`/`MBEDTLS_SSL_OUT_CONTENT_LEN` in `mbedtls_user_config.h`.
ccli8 26:e5cfc2628e84 306 This will change back to 16KiB/16KiB.