From a37a1d26155bc0f83ab4d57cf608bcb8f1686c52 Mon Sep 17 00:00:00 2001 From: Robert Lubos Date: Thu, 18 Dec 2025 12:22:25 +0100 Subject: [PATCH 1/3] Revert "[nrf noup] net: mqtt: add native TLS support" This reverts commit bc094738b4385dca505a5afe63d8152c348dd029. Signed-off-by: Robert Lubos --- doc/connectivity/networking/api/mqtt.rst | 3 --- include/zephyr/net/mqtt.h | 3 --- subsys/net/lib/mqtt/mqtt_transport_socket_tls.c | 7 +------ 3 files changed, 1 insertion(+), 12 deletions(-) diff --git a/doc/connectivity/networking/api/mqtt.rst b/doc/connectivity/networking/api/mqtt.rst index c2fb612e1cc2..2775d77315b8 100644 --- a/doc/connectivity/networking/api/mqtt.rst +++ b/doc/connectivity/networking/api/mqtt.rst @@ -150,7 +150,6 @@ additional configuration information: tls_config->sec_tag_list = m_sec_tags; tls_config->sec_tag_count = ARRAY_SIZE(m_sec_tags); tls_config->hostname = MQTT_BROKER_HOSTNAME; - tls_config->set_native_tls = true; In this sample code, the ``m_sec_tags`` array holds a list of tags, referencing TLS credentials that the MQTT library should use for authentication. We do not specify @@ -163,8 +162,6 @@ Note, that TLS credentials referenced by the ``m_sec_tags`` array must be registered in the system first. For more information on how to do that, refer to :ref:`secure sockets documentation `. -Finally, ``set_native_tls`` can be optionally set to enable native TLS support instead of offloading TLS operations to the modem. - An example of how to use TLS with MQTT is also present in :zephyr:code-sample:`mqtt-publisher` sample application. diff --git a/include/zephyr/net/mqtt.h b/include/zephyr/net/mqtt.h index 797f8f339d7f..d63cc1316249 100644 --- a/include/zephyr/net/mqtt.h +++ b/include/zephyr/net/mqtt.h @@ -773,9 +773,6 @@ struct mqtt_sec_config { /** Indicates the preference for copying certificates to the heap. */ int cert_nocopy; - - /** Set socket to native TLS */ - bool set_native_tls; }; /** @brief MQTT transport type. */ diff --git a/subsys/net/lib/mqtt/mqtt_transport_socket_tls.c b/subsys/net/lib/mqtt/mqtt_transport_socket_tls.c index 617dec4b4d26..68a101e6c846 100644 --- a/subsys/net/lib/mqtt/mqtt_transport_socket_tls.c +++ b/subsys/net/lib/mqtt/mqtt_transport_socket_tls.c @@ -22,15 +22,10 @@ int mqtt_client_tls_connect(struct mqtt_client *client) { const struct sockaddr *broker = client->broker; struct mqtt_sec_config *tls_config = &client->transport.tls.config; - int type = SOCK_STREAM; int ret; - if (tls_config->set_native_tls) { - type |= SOCK_NATIVE_TLS; - } - client->transport.tls.sock = zsock_socket(broker->sa_family, - type, IPPROTO_TLS_1_2); + SOCK_STREAM, IPPROTO_TLS_1_2); if (client->transport.tls.sock < 0) { return -errno; } From 24703c8e7f55f424fe305d89b3e30c8f235d2698 Mon Sep 17 00:00:00 2001 From: Robert Lubos Date: Thu, 18 Dec 2025 12:11:46 +0100 Subject: [PATCH 2/3] [nrf fromlist] net: mqtt: Allow to force native TLS on MQTT socket Upstream PR #: 101263 Add a parameter to MQTT TLS configuration that allows to force native TLS on a socket if offload dispatcher is used. This allows for MQTT to use native TLS implementation with an offloaded TCP socket. Signed-off-by: Robert Lubos --- doc/connectivity/networking/api/mqtt.rst | 4 ++++ include/zephyr/net/mqtt.h | 3 +++ subsys/net/lib/mqtt/mqtt_transport_socket_tls.c | 12 ++++++++++++ 3 files changed, 19 insertions(+) diff --git a/doc/connectivity/networking/api/mqtt.rst b/doc/connectivity/networking/api/mqtt.rst index 2775d77315b8..a8eaaf288b9d 100644 --- a/doc/connectivity/networking/api/mqtt.rst +++ b/doc/connectivity/networking/api/mqtt.rst @@ -150,6 +150,7 @@ additional configuration information: tls_config->sec_tag_list = m_sec_tags; tls_config->sec_tag_count = ARRAY_SIZE(m_sec_tags); tls_config->hostname = MQTT_BROKER_HOSTNAME; + tls_config->set_native_tls = true; In this sample code, the ``m_sec_tags`` array holds a list of tags, referencing TLS credentials that the MQTT library should use for authentication. We do not specify @@ -162,6 +163,9 @@ Note, that TLS credentials referenced by the ``m_sec_tags`` array must be registered in the system first. For more information on how to do that, refer to :ref:`secure sockets documentation `. +Finally, ``set_native_tls`` can be optionally set to enable native TLS support +instead of offloading TLS operations to an offloaded socket. + An example of how to use TLS with MQTT is also present in :zephyr:code-sample:`mqtt-publisher` sample application. diff --git a/include/zephyr/net/mqtt.h b/include/zephyr/net/mqtt.h index d63cc1316249..fc9271f4debb 100644 --- a/include/zephyr/net/mqtt.h +++ b/include/zephyr/net/mqtt.h @@ -773,6 +773,9 @@ struct mqtt_sec_config { /** Indicates the preference for copying certificates to the heap. */ int cert_nocopy; + + /** Set socket to use native TLS (used with socket offloading). */ + bool set_native_tls; }; /** @brief MQTT transport type. */ diff --git a/subsys/net/lib/mqtt/mqtt_transport_socket_tls.c b/subsys/net/lib/mqtt/mqtt_transport_socket_tls.c index 68a101e6c846..9a30497db1b5 100644 --- a/subsys/net/lib/mqtt/mqtt_transport_socket_tls.c +++ b/subsys/net/lib/mqtt/mqtt_transport_socket_tls.c @@ -32,6 +32,18 @@ int mqtt_client_tls_connect(struct mqtt_client *client) NET_DBG("Created socket %d", client->transport.tls.sock); + if (IS_ENABLED(CONFIG_NET_SOCKETS_OFFLOAD_DISPATCHER) && tls_config->set_native_tls) { + int tls_native = 1; + + ret = zsock_setsockopt(client->transport.tls.sock, ZSOCK_SOL_TLS, + ZSOCK_TLS_NATIVE, &tls_native, + sizeof(tls_native)); + if (ret < 0) { + NET_ERR("Failed to set native TLS (%d)", -errno); + goto error; + } + } + if (client->transport.if_name != NULL) { struct ifreq ifname = { 0 }; From c691e99ba7fc40269d64ae12789d3eb3bc26d4cd Mon Sep 17 00:00:00 2001 From: Mirko Covizzi Date: Thu, 10 Mar 2022 00:25:50 -0800 Subject: [PATCH 3/3] [nrf noup] net: mqtt: add native TLS support Make MQTT `set_native_tls` option work w/o socket dispatcher enabled. Signed-off-by: Mirko Covizzi Signed-off-by: Robert Lubos (cherry picked from commit bc094738b4385dca505a5afe63d8152c348dd029) --- subsys/net/lib/mqtt/mqtt_transport_socket_tls.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/subsys/net/lib/mqtt/mqtt_transport_socket_tls.c b/subsys/net/lib/mqtt/mqtt_transport_socket_tls.c index 9a30497db1b5..13bd7c23faba 100644 --- a/subsys/net/lib/mqtt/mqtt_transport_socket_tls.c +++ b/subsys/net/lib/mqtt/mqtt_transport_socket_tls.c @@ -22,10 +22,15 @@ int mqtt_client_tls_connect(struct mqtt_client *client) { const struct sockaddr *broker = client->broker; struct mqtt_sec_config *tls_config = &client->transport.tls.config; + int type = SOCK_STREAM; int ret; + if (!IS_ENABLED(CONFIG_NET_SOCKETS_OFFLOAD_DISPATCHER) && tls_config->set_native_tls) { + type |= SOCK_NATIVE_TLS; + } + client->transport.tls.sock = zsock_socket(broker->sa_family, - SOCK_STREAM, IPPROTO_TLS_1_2); + type, IPPROTO_TLS_1_2); if (client->transport.tls.sock < 0) { return -errno; } @@ -35,8 +40,8 @@ int mqtt_client_tls_connect(struct mqtt_client *client) if (IS_ENABLED(CONFIG_NET_SOCKETS_OFFLOAD_DISPATCHER) && tls_config->set_native_tls) { int tls_native = 1; - ret = zsock_setsockopt(client->transport.tls.sock, ZSOCK_SOL_TLS, - ZSOCK_TLS_NATIVE, &tls_native, + ret = zsock_setsockopt(client->transport.tls.sock, SOL_TLS, + TLS_NATIVE, &tls_native, sizeof(tls_native)); if (ret < 0) { NET_ERR("Failed to set native TLS (%d)", -errno);