aws-amplify / aws-sdk-ios

AWS SDK for iOS. For more information, see our web site:
https://aws-amplify.github.io/docs
Other
1.68k stars 885 forks source link

AWS IoT CFNetwork SSLHandshake failed #450

Closed bizcloudexperts closed 8 years ago

bizcloudexperts commented 8 years ago

Let me know if i'm wrong. I'm trying to connect from my iOS app to the AWS IoT. I'm getting the above error. I have modified the Info.plist folder as advised.

This is exactly how i'm generating the certificates.

  1. aws iot create-keys-and-certificate --set-as-active --certificate-pem-outfile cert.pem --public-key-outfile publicKey.pem --private-key-outfile privkey.pem
  2. From the above generated keys, I create a .p12 file as, openssl pkcs12 -export -in cert.pem -inkey key.pem -CAfile root-ca.crt -out awsiot-xxx.p12

I have the thing and policy configured correctly.

When testing with openssl s_client I get the below,

$ openssl s_client -connect a2m71unc61w1ny.iot.us-west-2.amazonaws.com:8443 -CAfile cert.pem -cert publicKey.pem -key privkey.pem unable to load certificate 95014:error:0906D06C:PEM routines:PEM_read_bio:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFICATE

Any help would be appreciated.

liuszeng commented 8 years ago

Hi @bizcloudexperts ,

Thank you very much for your interest in AWS IoT!

There are several things you can check here:

a. Verify the integrity of your credentials using another MQTT client, e.g., MQTT.fx. Also, from the error message it seems that the certificate is malformed. It should have the following format:

-----BEGIN CERTIFICATE-----
<YOUR CERTIFICATE DETAILS>
-----END CERTIFICATE-----

b. Notice that you are testing using openssl v0.9.8. To actually get the correct testing result for X.509 certificate based mutual authentication, you need a newer version openssl v1.0.1+.

Please let us know how it goes.

Thanks Liusu

kirankraleti91 commented 8 years ago

Hi, i'm facing a similar issue.

But when i try with the openssl s_client it shows me a good response.

However, when i generate a .p12 file using below command and put this in xcode project, i face the "CFNetwork SSLHandshake failed (-9829)" error.

$ openssl pkcs12 -export -out awsiot-identity.p12 -inkey awsIotPrivateKey.pem -in awsIotCert.pem -certfile rootCA.pem

Please help me on this.

$ openssl s_client -connect a2m71unc61w1ny.iot.us-west-2.amazonaws.com:8443 -CAfile rootCA.pem -cert awsIotCert.pem -key awsIotPrivateKey.pem CONNECTED(00000003) depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4 verify return:1 depth=0 C = US, ST = Washington, L = Seattle, O = "Amazon.com, Inc.", CN = *.iot.us-west-2.amazonaws.com

verify return:1

Certificate chain 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.us-west-2.amazonaws.com i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4

i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

Server certificate -----BEGIN CERTIFICATE----- certificate -----END CERTIFICATE----- subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.us-west-2.amazonaws.com

issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4

No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 3161 bytes and written 1579 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 57CEFD998425D7550529D4B189032947F0F182937C1344320E02788E635FA8B1 Session-ID-ctx: Master-Key: 1AC2ADF7334878158767C30BCE0FA4071AFB6DEC9968335B47670E253EC4B787B4857503A1A30883707AFE630369DE24 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1473183130 Timeout : 300 (sec)

Verify return code: 0 (ok)

fengsongAWS commented 8 years ago

Hi @kiranuta @bizcloudexperts , Thanks for using aws ios sdk! I am just curious what version of Xcode are you using? Since Xcode 8.0 has just been released, the mobile sdk team has not officially supported Xcode 8.0 yet. It might still work for some examples, but it would be better to keep Xcode 7.3.1 if you want to have all features of ios sdk.

Another problem which may cause the Handshake fail could be the settings of your region. So, please make sure you have the correct region specified in the Constants.swift which matches your service region. let AwsRegion = AWSRegionType.USEast1 // e.g. AWSRegionType.USEast1

Please feel free to post your questions if it still not works.

Thanks, Fengyi

karthiksaligrama commented 8 years ago

assuming resolved. closing

seanhamstra commented 7 years ago

I just want to mention in case it helps anyone else, I had the exact same error. Ended up just being that I needed to prepend "https://" to my endpoint. facepalm

j2inet commented 3 years ago

I just want to mention in case it helps anyone else, I had the exact same error. Ended up just being that I needed to prepend "https://" to my endpoint. facepalm

Glad you left this post. Here I am years later having run into the same problem. I don't quite understand why it worked without the protocol for on one AWS IOT MQTT instance and not the other, but that solved my problem.

Thanks, @seanhamstra