search

aws / aws-iot-device-sdk-embedded-C

SDK for connecting to AWS IoT from a device using embedded C.
MIT License
975 stars 623 forks source link

mqtt_demo_basic_tls will fail to connect until client cert/private key are added to the openssl credentials #1834

Closed lars-t-hansen closed 1 year ago

lars-t-hansen commented 1 year ago

I was playing with these demos today, and could not get mqtt_demo_basic_tls to connect properly, while there was no problem with mqtt_demo_mutual_auth, this is the output from the former:

[INFO] [DEMO] [mqtt_demo_basic_tls.c:566] Establishing a TLS session to REDACTED.iot.eu-central-1.amazonaws.com:8883.
[ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:280] SSL_connect failed to perform TLS handshake.
[ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:696] Failed to establish a TLS connection.
[WARN] [DEMO] [mqtt_demo_basic_tls.c:605] Connection to the broker failed. Retrying connection after 377 ms backoff.

Up to the point of connection the only material difference between these two programs is that mqtt_demo_mutual_auth adds the client cert and the private key to the openssl credentials. As I understand it, those should not be needed for mqtt_demo_basic_tls, but when I do add them to the credentials of the latter program it starts to work as expected. Diff:

diff --git a/demos/mqtt/mqtt_demo_basic_tls/mqtt_demo_basic_tls.c b/demos/mqtt/mqtt_demo_basic_tls/mqtt_demo_basic_tls.c
index ca1f5f13..5f92c8ee 100644
--- a/demos/mqtt/mqtt_demo_basic_tls/mqtt_demo_basic_tls.c
+++ b/demos/mqtt/mqtt_demo_basic_tls/mqtt_demo_basic_tls.c
@@ -548,6 +548,9 @@ static int connectToServerWithBackoffRetries( NetworkContext_t * pNetworkContext
     opensslCredentials.pRootCaPath = ROOT_CA_CERT_PATH;
     opensslCredentials.sniHostName = BROKER_ENDPOINT;

+        opensslCredentials.pClientCertPath = "...REDACTED.../certificate.pem.crt";
+        opensslCredentials.pPrivateKeyPath = "...REDACTED.../private.pem.key";
+
     /* Initialize reconnect attempts and interval */
     BackoffAlgorithm_InitializeParams( &reconnectParams,
                                        CONNECTION_RETRY_BACKOFF_BASE_MS,

(The client system is Fedora 37, x64.)

paulbartell commented 1 year ago

@lars-t-hansen : The Basic TLS MQTT demo is not intended to use certificate authentication.

Rather, it's meant to be used with MQTT password based auth. When connecting to AWS IoT core, you can use a custom authorizer to accomplish this.

There are also instructions to run the Basic TLS demo with a local MQTT broker (Eclipse Mosquitto).