MQTT Reconnection Fails When HTTPS Session is Active – TLS Handshake Error (-0x2700)

[RamPingle-eaton]

Describe the bug

Description:

Zephyr OS Version: 3.6.0
Hardware Platform: STM32H743ZI

Use Case: Concurrent MQTT over TLS and HTTPS connections
TLS Configuration:
MQTT: tls_config->peer_verify = TLS_PEER_VERIFY_REQUIRED
HTTPS: tls_config->peer_verify = TLS_PEER_VERIFY_NONE
Certificate Setup:
A common CA certificate is added for both connections using:

Issue:

When the MQTT connection is active and an HTTPS connection is initiated, both work as expected. However, if the MQTT connection drops (for any reason) while the HTTPS connection remains active, subsequent attempts to reconnect MQTT fail.

Observed Behavior:

First two MQTT reconnection attempts fail with:
tls_mbedtls_handshake: TLS handshake error: -0x2700
On the third attempt, the error changes to:
err = Not enough space
Additional Context:

A similar issue was discussed here: two concurrent TLS sessions · zephyrproject-rtos/zephyr · Discussion #49314, where increasing memory resolved the problem.

Questions:

Why does the initial MQTT connection succeed even with the same memory constraints?

Is there a recommended way to manage MQTT and HTTPS connections independently to avoid such conflicts?

Are there specific memory configuration parameters or TLS session limits that should be adjusted?

Any guidance or suggestions would be greatly appreciated.

Regression

• This is a regression.

Steps to reproduce

No response

Relevant log output

Impact

Annoyance – Minor irritation; no significant impact on usability or functionality.

Environment

No response

Additional Context

No response

[ljd42]

Thank you for your bug report.

Zephyr v3.6.0 has reached EOL, and is not supported anymore.
Could you please re-test on version 3.7.x (LTS), or 4.1. ?

Many thanks for your help!

Note: Zephyr's release schedules and lifetime are available here.

@danieldegrasse : fyi

[RamPingle-eaton]

@ljd42 Thank you very much for your response. Unfortunately, I won’t be able to migrate to the latest version of Zephyr, as my application is part of a larger platform.

Is there any alternative documentation or resource where I can find details about the specific settings in the mbedTLS library that influence memory usage? Any guidance or references that could help me address this issue would be greatly appreciated.

Thank you again for your support.

[rlubos]

Why does the initial MQTT connection succeed even with the same memory constraints?

For each active TLS session, mbed TLS allocates in and out buffer of size CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN, which will remain allocated throughout the TLS session. So if there is one ongoing TLS session (HTTPS), it may turn out mbed TLS runs out of heap for the second one (MQTTS).

Is there a recommended way to manage MQTT and HTTPS connections independently to avoid such conflicts?

It's up to the application to decide how it manages its connections and memory. I can't recommend anything else than don't run parallel TLS sessions if you can't provide enough heap to mbed TLS.

Are there specific memory configuration parameters or TLS session limits that should be adjusted?

I can only think of aforementioned CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN. In theory it can be lowered, however please be aware this may cause interoperability issues (sometimes TLS servers does not respect TLS maximum fragment length negotiation).

Any guidance or suggestions would be greatly appreciated.

We have a simple shell util CONFIG_MBEDTLS_MEMORY_DEBUG to print out basic mbed TLS heap usage data, other than that I can only think of enabling mbed TLS logs, not sure though how detailed info do they provide.

All that said, I think that mbed TLS memory issues should not be considered and marked as Zephyr bug.