Server V3 (MQTT): AWS IoT Core support

[shadowguardian507-irl]

This PR adds compatibility with AWS IoT Core as an MQTT broker for the OVMS Server V3 module, and introduces two new optional behaviour flags to handle broker-specific protocol restrictions.

mTLS client certificate authentication
Adds support for X.509 client certificate authentication via a new tlsclient command set (tlsclient import, tlsclient status, tlsclient info, tlsclient check, tlsclient clear, tlsclient reload). Credentials stored under /store/tls/ are passed to Mongoose as SSL client cert/key. Also fixes a bug where empty username/password were sent as empty strings instead of NULL, causing AUTHORIZATION_FAILURE on brokers that require cert-only auth with no credentials.

The Amazon Root CA 1 certificate is bundled into the firmware trust store so that AWS IoT Core's server certificate can be verified without manual configuration.

keepalive.clamp (default: enabled)
AWS IoT Core enforces a hard maximum keepalive of 1200 seconds and disconnects clients that request higher values. When enabled, the keepalive is silently clamped to 1200s with a log warning. Can be disabled for brokers that support longer intervals via config set server.v3 keepalive.clamp no or the web UI. (scrapped in favour of a static note in the UI)

retain.depth.limit (default: disabled)
AWS IoT Core silently drops retained messages on topics with more than 8 path segments. When enabled, the RETAIN flag is omitted for such topics to prevent silent message loss. Can be disabled for brokers without this restriction via config set server.v3 retain.depth.limit no or the web UI.

The new options are shown in server v3 status output.

Addresses #1090 (authenticating to AWS IoT Core — closed by the original reporter, but the feature request was valid and is now implemented). Also extends the server-side TLS support introduced in #178 to cover full mutual TLS with client certificate authentication.

the above was last updated 2026-04-11

[dexterbg]

James, welcome & thanks for trying to help.

As you're new, I'll try to guide you instead of immediately closing this PR.

If you really want to help, please…

1. read https://github.com/openvehicles/Open-Vehicle-Monitoring-System-3?tab=readme-ov-file#development-and-contributions, especially the section on AI generated submissions
2. understand the ovm_utils module
3. understand the webserver's cert configuration, and for possible later other (!) submissions, understand the OvmsConfig API
4. understand the purpose of the existing server v3 config instances
5. understand that the AWS IoT Core limitations are an exemption, not the rule
6. remove all unnecessary bloat, reduce the PR to the actually needed elements -- this will then be just a few lines of code
7. understand the user guide structure, why your AI's additions do not fit and what's missing

There's possibly more. IOW, you better discard your AI results or just take them as the example they are, and reimplement this by yourself.

Regards,
Michael

[shadowguardian507-irl]

Sorry I though that having this as a draft would mark it as a work in progress, apologies if that caused problems/issues, that was not my intent

I am currently in the process of optimising things, but getting a baseline functioning firmware image was my first step on that process.

[shadowguardian507-irl]

re point 5 you are absolutely correct and I will be correcting the defaults in future commits

[shadowguardian507-irl]

@dexterbg

Sorry about the complexity I had in the docs, I'm afraid that is directly my fault (I do tend to write rather verbose docs as I'm always concerned about forgetting important points, and is all to easy to assume what you did will be obvious later, I've been bitten by that on a few occasions), I have tried to re-structure/re-do what I put to make it fit better

I do have some questions:

• Do you need me to add a short guide on setting up with AWS IoT Core, similar to docs/source/userguide/homeassistant.rst or would that be out of scope for this PR

• Do you want me to remove the CLI validation/import functionality for mTLS I added in vehicle/OVMS.V3/components/ovms_server_v3/src/ovms_server_v3.cpp, I figure it is helpful to have but if it adds too much load/file size I'll remove it

• Am I supposed to add a section to vehicle/OVMS.V3/changes.txt, or is that something that the project maintiners do ? sorry if I made a mistake by pre-adding a comment there

I have checked it all compiles/uploads fine and it seems to all work ok

for example in the logs

I (21246) ovms-server-v3: Attempt connect: counter=13 need=13 jitter=3
I (21246) ovms-server-v3: Connection is [REDACTED]:8883 [REDACTED]/ topic ovms-[REDACTED]/
I (21246) ovms-server-v3: Status: Connecting...
I (21276) ovms-server-v3: Using MQTT mTLS client certificate authentication
I (23976) ovms-server-v3: Connection successful
I (24196) ovms-server-v3: Status: OVMS V3 MQTT login successful
I (24306) ovms-server-v3: Subscribe to MQTT topics
I (24306) ovms-server-v3: Transmit all metrics
I (24476) ovms-server-v3: Subscription acknowledged

and an example of value received in AWS

(data in above log except and screen shot has been redacted for privacy reasons)

[shadowguardian507-irl]

one further question is should I not bundle the AWS CA cert with this ?

On one hand, that would mean no changes under vehicle/OVMS.V3/components/ovms_tls/ and the overall file size of the firmware would be slightly smaller (but we are talking maybe 900 Bytes if that)
but on the other
It would mean that the user would have to load that cert themselves using the process detailed in the ssl-tls-trusted-certificate-authorities part of the docs, so would be more friction for them

please can I get some advise on this ?

[dexterbg]

Do you need me to add a short guide on setting up with AWS IoT Core

If you add a general guide on setting up server V3 focusing on our public standard servers and finding and using other public MQTT brokers first, you're free to also add a section on AWS IoT Core there. Don't forget to add a section on self-hosting naming some common options.

Do you want me to remove the CLI validation/import functionality

Yes.

Am I supposed to add a section to vehicle/OVMS.V3/changes.txt

Yes. Keep it reduced to the actual user level news.

Should I bundle the AWS CA cert with this?

Create a separate PR for the AWS CA cert.