search

aws-samples / aws-iot-securetunneling-localproxy

AWS Iot Secure Tunneling local proxy reference C++ implementation
https://docs.aws.amazon.com/iot/latest/developerguide/what-is-secure-tunneling.html
Apache License 2.0
74 stars 71 forks source link

OpenSSL errors when connecting proxy #151

Closed awwithro closed 4 months ago

awwithro commented 5 months ago

Describe the bug

The proxy throws a SSL handshake error when connecting

To Reproduce

docker run --rm -it --entrypoint=/root/bin/localproxy --network=host public.ecr.aws/aws-iot-securetunneling-localproxy/ubuntu-bin:arm64 --region us-west-2 -s 5555 -t <my_token>

results in 

[2024-04-29 20:56:38.196943] (0x0000ffff9a32d040) [warning] Found access token supplied via CLI arg. Consider using environment variable AWSIOT_TUNNEL_ACCESS_TOKEN instead
[2024-04-29 20:56:38.197841] (0x0000ffff9a32d040) [info] Starting proxy in source mode
[2024-04-29 20:56:38.206762] (0x0000ffff9a32d040) [info] Attempting to establish web socket connection with endpoint wss://data.tunneling.iot.us-west-2.amazonaws.com:443
[2024-04-29 20:56:38.513235] (0x0000ffff9a32d040) [error] Could not perform SSL handshake with proxy server: unregistered scheme (STORE routines)
[2024-04-29 20:56:41.019975] (0x0000ffff9a32d040) [info] Attempting to establish web socket connection with endpoint wss://data.tunneling.iot.us-west-2.amazonaws.com:443
[2024-04-29 20:56:41.108651] (0x0000ffff9a32d040) [error] Could not perform SSL handshake with proxy server: unregistered scheme (STORE routines)
[2024-04-29 20:56:43.618218] (0x0000ffff9a32d040) [info] Attempting to establish web socket connection with endpoint wss://data.tunneling.iot.us-west-2.amazonaws.com:443
[2024-04-29 20:56:43.714607] (0x0000ffff9a32d040) [error] Could not perform SSL handshake with proxy server: unregistered scheme (STORE routines)

Expected behavior

I would expect this to connect successfully

Also, the entrypoint is pointing to /root/bin instead of the proxy

Actual behavior

The above error is thrown repeatedly

Environment (please complete the following information):

RogerZhongAWS commented 5 months ago

Hello, I believe #126 fixed this issue and added a -latest suffix to all latest image tags. Can you try doing docker pull public.ecr.aws/aws-iot-securetunneling-localproxy/ubuntu-bin:arm64-latest and rerunning your command with this new image?

awwithro commented 5 months ago

I'm seeing the same behavior with the latest tag as well

Status: Downloaded newer image for public.ecr.aws/aws-iot-securetunneling-localproxy/ubuntu-bin:arm64-latest
[2024-05-01 21:44:47.710640] (0x0000ffffa8fb7fc0) [warning] Found access token supplied via CLI arg. Consider using environment variable AWSIOT_TUNNEL_ACCESS_TOKEN instead
[2024-05-01 21:44:47.710813] (0x0000ffffa8fb7fc0) [info] Starting proxy in source mode
[2024-05-01 21:44:47.712944] (0x0000ffffa8fb7fc0) [info] Attempting to establish web socket connection with endpoint wss://data.tunneling.iot.us-west-2.amazonaws.com:443
[2024-05-01 21:44:47.883177] (0x0000ffffa8fb7fc0) [error] Could not perform SSL handshake with proxy server: unregistered scheme (STORE routines)
RogerZhongAWS commented 5 months ago

There may be minute differences between the Ubuntu images depending on the arch, which may not end up giving openssl enough context about which cert stores to use for verifying server certificates. Can you try appending -c /etc/ssl/certs to the localproxy run command to see if that works?

awwithro commented 5 months ago

adding -c /etc/ssl/certs does get this working

RogerZhongAWS commented 4 months ago

closing this issue, feel free to reopen if you have any other inquiries.

awwithro commented 4 months ago

Wouldn't it make sense to update the container so the default args work?