Closed bizcloudexperts closed 8 years ago
Hi @bizcloudexperts ,
Thank you very much for your interest in AWS IoT!
There are several things you can check here:
a. Verify the integrity of your credentials using another MQTT client, e.g., MQTT.fx. Also, from the error message it seems that the certificate is malformed. It should have the following format:
-----BEGIN CERTIFICATE-----
<YOUR CERTIFICATE DETAILS>
-----END CERTIFICATE-----
b. Notice that you are testing using openssl v0.9.8. To actually get the correct testing result for X.509 certificate based mutual authentication, you need a newer version openssl v1.0.1+.
Please let us know how it goes.
Thanks Liusu
Hi, i'm facing a similar issue.
But when i try with the openssl s_client it shows me a good response.
However, when i generate a .p12 file using below command and put this in xcode project, i face the "CFNetwork SSLHandshake failed (-9829)" error.
$ openssl pkcs12 -export -out awsiot-identity.p12 -inkey awsIotPrivateKey.pem -in awsIotCert.pem -certfile rootCA.pem
Please help me on this.
$ openssl s_client -connect a2m71unc61w1ny.iot.us-west-2.amazonaws.com:8443 -CAfile rootCA.pem -cert awsIotCert.pem -key awsIotPrivateKey.pem CONNECTED(00000003) depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4 verify return:1 depth=0 C = US, ST = Washington, L = Seattle, O = "Amazon.com, Inc.", CN = *.iot.us-west-2.amazonaws.com
Certificate chain 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.us-west-2.amazonaws.com i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
Server certificate -----BEGIN CERTIFICATE----- certificate -----END CERTIFICATE----- subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.us-west-2.amazonaws.com
No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 Peer signing digest: SHA512
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 57CEFD998425D7550529D4B189032947F0F182937C1344320E02788E635FA8B1 Session-ID-ctx: Master-Key: 1AC2ADF7334878158767C30BCE0FA4071AFB6DEC9968335B47670E253EC4B787B4857503A1A30883707AFE630369DE24 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1473183130 Timeout : 300 (sec)
Hi @kiranuta @bizcloudexperts , Thanks for using aws ios sdk! I am just curious what version of Xcode are you using? Since Xcode 8.0 has just been released, the mobile sdk team has not officially supported Xcode 8.0 yet. It might still work for some examples, but it would be better to keep Xcode 7.3.1 if you want to have all features of ios sdk.
Another problem which may cause the Handshake fail could be the settings of your region. So, please make sure you have the correct region specified in the Constants.swift which matches your service region. let AwsRegion = AWSRegionType.USEast1 // e.g. AWSRegionType.USEast1
Please feel free to post your questions if it still not works.
Thanks, Fengyi
assuming resolved. closing
I just want to mention in case it helps anyone else, I had the exact same error. Ended up just being that I needed to prepend "https://" to my endpoint. facepalm
I just want to mention in case it helps anyone else, I had the exact same error. Ended up just being that I needed to prepend "https://" to my endpoint. facepalm
Glad you left this post. Here I am years later having run into the same problem. I don't quite understand why it worked without the protocol for on one AWS IOT MQTT instance and not the other, but that solved my problem.
Thanks, @seanhamstra
Let me know if i'm wrong. I'm trying to connect from my iOS app to the AWS IoT. I'm getting the above error. I have modified the Info.plist folder as advised.
This is exactly how i'm generating the certificates.
I have the thing and policy configured correctly.
When testing with openssl s_client I get the below,
$ openssl s_client -connect a2m71unc61w1ny.iot.us-west-2.amazonaws.com:8443 -CAfile cert.pem -cert publicKey.pem -key privkey.pem unable to load certificate 95014:error:0906D06C:PEM routines:PEM_read_bio:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFICATE
Any help would be appreciated.